3.5.3.6 Ensure default deny firewall policy - forward

Information

Base chain policy is the default verdict that will be applied to packets reaching the end of the chain.

Rationale:

There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue transversing the network stack.

It is easier to white list acceptable usage than to black list unacceptable usage.

Solution

Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy:

# nft chain <table family> <table name> <chain name> { policy drop ; }

Example:

# nft chain inet filter input { policy drop ; }

# nft chain inet filter forward { policy drop ; }

# nft chain inet filter output { policy drop ; }

Impact:

if configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity.

Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop

Default Value:

accept

References:

Manual Page nft

Notes:

Changing firewall settings while connected over network can result in being locked out of the system.

See Also

https://workbench.cisecurity.org/files/2611

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(15)

Plugin: Unix

Control ID: 698428c8f7931caef6ddf75ace244c0c9e21bdf2f9978df33058ae29e51a1519