UCF STIG Viewer Logo

The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.


Finding ID Version Rule ID IA Controls Severity
V-218102 RHEL-06-000523 SV-218102r505923_rule Medium
In "ip6tables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2020-09-03


Check Text ( C-19583r377321_chk )
If IPv6 is disabled, this is not applicable.

Inspect the file "/etc/sysconfig/ip6tables" to determine the default policy for the INPUT chain. It should be set to DROP:

# grep ":INPUT" /etc/sysconfig/ip6tables

If the default policy for the INPUT chain is not set to DROP, this is a finding.
Fix Text (F-19581r377322_fix)
To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/ip6tables":


Restart the IPv6 firewall:

# service ip6tables restart