4.2.8 Ensure nftables default deny firewall policy

Information

Base chain policy is the default verdict that will be applied to packets reaching the end of the chain.

There are two policies: accept (Default) and drop. If the policy is set to accept the firewall will accept any packet that is not configured to be denied and the packet will continue transversing the network stack.

It is easier to white list acceptable usage than to black list unacceptable usage.

Note: Changing firewall settings while connected over network can result in being locked out of the system.

Solution

Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy:

# nft chain <table family> <table name> <chain name> { policy drop ; }

Example:

# nft chain inet filter input { policy drop ; }

# nft chain inet filter forward { policy drop ; }

# nft chain inet filter output { policy drop ; }

Impact:

If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity.

Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop

See Also

https://workbench.cisecurity.org/benchmarks/17074

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.4

Plugin: Unix

Control ID: c527274935969102593740be4e26b87d3716c530e4e31bdd87863c215d6154bc