A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-230504 | RHEL-08-040090 | SV-230504r958672_rule | CCI-002314 | medium |
| Description | ||||
| Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. RHEL 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. | ||||
| STIG | Date | |||
| Red Hat Enterprise Linux 8 Security Technical Implementation Guide | 2025-05-14 | |||
Details
Check Text (C-230504r958672_chk)
Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:
$ sudo firewall-cmd --state
running
$ sudo firewall-cmd --get-active-zones
[custom]
interfaces: ens33
$ sudo firewall-cmd --info-zone=[custom] | grep target
target: DROP
If no zones are active on the RHEL 8 interfaces or if the target is set to a different option other than "DROP", this is a finding.
If the "firewalld" package is not installed, ask the System Administrator if an alternate firewall (such as iptables) is installed and in use, and how is it configured to employ a deny-all, allow-by-exception policy.
If the alternate firewall is not configured to employ a deny-all, allow-by-exception policy, this is a finding.
If no firewall is installed, this is a finding.
Fix Text (F-33148r942941_fix)
Configure the "firewalld" daemon to employ a deny-all, allow-by-exception with the following commands:
$ sudo firewall-cmd --permanent --new-zone=[custom]
$ sudo cp /usr/lib/firewalld/zones/drop.xml /etc/firewalld/zones/[custom].xml
This will provide a clean configuration file to work with that employs a deny-all approach.
Note: Add the exceptions that are required for mission functionality and update the short title in the xml file to match the [custom] zone name.
Reload the firewall rules to make the new [custom] zone available to load:
$ sudo firewall-cmd --reload
Set the default zone to the new [custom] zone:
$ sudo firewall-cmd --set-default-zone=[custom]
Note: This is a runtime and permanent change.
Add any interfaces to the new [custom] zone:
$ sudo firewall-cmd --permanent --zone=[custom] --change-interface=ens33
Reload the firewall rules for changes to take effect:
$ sudo firewall-cmd --reload