AlmaLinux OS 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-269246 | ALMA-09-018830 | SV-269246r1050780_rule | CCI-000366 | medium |
| Description | ||||
| Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DOD data. AlmaLinux OS 9 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be used to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. | ||||
| STIG | Date | |||
| CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide | 2025-05-22 | |||
Details
Check Text (C-269246r1050780_chk)
Verify the AlmaLinux OS 9 "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems.
First ensure firewalld is running:
$ firewall-cmd --state
running
Next, get the active zones:
$ firewall-cmd --get-active-zones
public
interfaces: enp1s0
Check the target of the zones returned from the previous command:
$ firewall-cmd --info-zone=public | grep target
target: DROP
Check the runtime and permanent rules match:
$ firewall-cmd --permanent --info-zone=public | grep target
target: DROP
If no zones are active on the AlmaLinux OS 9 interfaces or if runtime and permanent targets are set to a different option other than "DROP", this is a finding.
Fix Text (F-73178r1050780_fix)
Configure the "firewalld" daemon to employ a deny-all, allow-by-exception.
Start by adding the exceptions that are required for mission functionality to the "drop" zone. If SSH access on port 22 is needed for example, run the following command:
$ firewall-cmd --permanent --add-service=ssh --zone=drop
Set the default zone to the "drop" zone:
$ firewall-cmd --set-default-zone=drop
Note: This is a runtime and a permanent change.
Add any interfaces to the newly modified "drop" zone:
$ firewall-cmd --permanent --zone=drop --change-interface=enp1s0
Reload the firewall rules for changes to take effect:
$ firewall-cmd --reload
Check zones and interfaces:
$ firewall-cmd --get-active-zones
drop
interfaces: enp1s0
Check new default zone's target is set to "DROP":
$ firewall-cmd --permanent --info-zone=drop | grep target
target: DROP
The same outcome is achieved by creating a new zone, for example:
$ firewall-cmd --permanent --new-zone=stig
$ firewall-cmd --reload
$ firewall-cmd --permanent --change-interface=enp1s0 --zone=stig
$ firewall-cmd --permanent --add-service=ssh --zone=stig
$ firewall-cmd --permanent --set-target=DROP --zone=stig
$ firewall-cmd --set-default-zone=stig