Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-38686 | RHEL-06-000320 | SV-50487r2_rule | Medium |
| Description |
|---|
| In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2018-11-28 |
Details
| Check Text ( C-46248r2_chk ) |
|---|
| Run the following command to ensure the default "FORWARD" policy is "DROP": # iptables -nvL | grep -i forward Chain FORWARD (policy DROP 0 packets, 0 bytes) If the default policy for the FORWARD chain is not set to DROP, this is a finding. |
| Fix Text (F-43635r1_fix) |
|---|
| To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in "/etc/sysconfig/iptables": :FORWARD DROP [0:0] |