The firewall implementation must block any packet with a source or destination of the IPv4 local host loopback address (127.0.0.0/8).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000018-FW-000205	SRG-NET-000018-FW-000205	SRG-NET-000018-FW-000205_rule		Medium

Description
The IPv4 loopback address should never be used as the source or destination IP address of an inbound or outbound transmission. Packets with a source IP or destination address of the 127.0.0.0/8 prefix are bogus and may be malicious. The loopback address is used by an Inter-Processor Control (IPC) mechanism that enables the client and server portion of an application running on the same machine to communicate. Any packet with a source or destination IP address of 127.0.0.0/8 must not appear outside of an enclave or be routed.

Description

The IPv4 loopback address should never be used as the source or destination IP address of an inbound or outbound transmission. Packets with a source IP or destination address of the 127.0.0.0/8 prefix are bogus and may be malicious. The loopback address is used by an Inter-Processor Control (IPC) mechanism that enables the client and server portion of an application running on the same machine to communicate. Any packet with a source or destination IP address of 127.0.0.0/8 must not appear outside of an enclave or be routed.

STIG	Date
Firewall Security Requirements Guide	2014-07-07

Details

Check Text ( C-SRG-NET-000018-FW-000205_chk )
Review the configuration of the firewall implementation; if the 127.0.0.0/8 prefix is allowed as a source or destination, this is a finding.

Fix Text (F-SRG-NET-000018-FW-000205_fix)
Configure the firewall/ACL to block traffic using the 127.0.0.0/8 prefix as a source or destination address.