3.4.3.4 Ensure loopback traffic is configured - v6

Information

Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network

Rationale:

Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.

Solution

Run the following commands to implement the loopback rules:

# nft add rule inet filter input iif lo accept

# nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop

IF IPv6 is enabled on the system, run the following command to implement the IPv6 loopback rule:

# nft add rule inet filter input ip6 saddr ::1 counter drop

See Also

https://workbench.cisecurity.org/files/2970

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv7|9.4

Plugin: Unix

Control ID: 748d308351a2279c31974f535692219b94dbe2e36e325232e7a3b88f7f668258