3.4.1.7 Ensure ufw default deny firewall policy

Information

A default deny policy on connections ensures that any unconfigured network usage will be rejected.

Note: Any port or protocol without a explicit allow before the default deny will be blocked

With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to allow list acceptable usage than to deny list unacceptable usage.

Solution

Run the following commands to implement a default

deny

policy:

# ufw default deny incoming
# ufw default deny outgoing
# ufw default deny routed

Impact:

Any port and protocol not explicitly allowed will be blocked. The following rules should be considered before applying the default deny.

ufw allow git
ufw allow in http
ufw allow out http <- required for apt to connect to repository
ufw allow in https
ufw allow out https
ufw allow out 53
ufw logging on

See Also

https://workbench.cisecurity.org/benchmarks/15023

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.4

Plugin: Unix

Control ID: 9330722db995bf5be0668f6d13659daceae16a8522a10dc2e70e9ade23ed5c10