3.4.2.3 Ensure loopback traffic is configured - v6

Information

Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6).

Rationale:

Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.

Solution

Run the following commands to implement the loopback rules:

# ufw allow in on lo

# ufw allow out from lo

# sudo ufw deny in from 127.0.0.0/8

# sudo ufw deny in from ::1

See Also

https://workbench.cisecurity.org/files/2970

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv7|9.4

Plugin: Unix

Control ID: 84d9bd767093593116b74784c24311f3d20f0ddbb76fed9cf3f654abca9928e7