Detections
Analytics

3.4.2.4 Ensure host based firewall loopback traffic is configured

Information

Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network

Rationale:

Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.

Solution

Run the following script to implement the loopback rules:

#!/usr/bin/env bash

{
 l_hbfw=''
 if systemctl is-enabled firewalld.service | grep -q 'enabled' && systemctl is-enabled nftables.service | grep -q 'enabled'; then
 echo -e '
 - Error - Both FirewallD and NFTables are enabled
 - Please follow recommendation: 'Ensure a single firewall configuration utility is in use''
 elif ! systemctl is-enabled firewalld.service | grep -q 'enabled' && ! systemctl is-enabled nftables.service | grep -q 'enabled'; then
 echo -e '
 - Error - Neither FirewallD or NFTables is enabled
 - Please follow recommendation: 'Ensure a single firewall configuration utility is in use''
 else
 if systemctl is-enabled firewalld.service | grep -q 'enabled' && ! systemctl is-enabled nftables.service | grep -q 'enabled'; then
 echo -e '
 - FirewallD is in use on the system' && l_hbfw='fwd'
 elif ! systemctl is-enabled firewalld.service | grep -q 'enabled' && systemctl is-enabled nftables.service | grep -q 'enabled'; then
 echo -e '
 - NFTables is in use on the system' && l_hbfw='nft'
 fi
 l_ipsaddr='$(nft list ruleset | awk '/filter_IN_public_deny|hooks+inputs+/,/}s*(#.*)?$/' | grep -P -- 'iph+saddr')'
 if ! nft list ruleset | awk '/hooks+inputs+/,/}s*(#.*)?$/' | grep -Pq -- 'H+h+'lo'h+accept'; then
 echo -e '
 - Enabling input to accept for loopback address'
 if [ '$l_hbfw' = 'fwd' ]; then
 firewall-cmd --permanent --zone=trusted --add-interface=lo
 firewall-cmd --reload
 elif [ '$l_hbfw' = 'nft' ]; then
 nft add rule inet filter input iif lo accept
 fi
 fi
 if ! grep -Pq -- 'iph+saddrh+127.0.0.0/8h+(counterh+packetsh+d+h+bytesh+d+h+)?drop' <<< '$l_ipsaddr' && ! grep -Pq -- 'iph+daddrh+!=h+127.0.0.1h+iph+saddrh+127.0.0.1h+drop' <<< '$l_ipsaddr'; then
 echo -e '
 - Setting IPv4 network traffic from loopback address to drop'
 if [ '$l_hbfw' = 'fwd' ]; then
 firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address='127.0.0.1' destination not address='127.0.0.1' drop'
 firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address='127.0.0.1' destination not address='127.0.0.1' drop'
 firewall-cmd --reload
 elif [ '$l_hbfw' = 'nft' ]; then
 nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop
 fi
 fi
 if grep -Pq -- '^h*0h*$' /sys/module/ipv6/parameters/disable; then
 l_ip6saddr='$(nft list ruleset | awk '/filter_IN_public_deny|hook input/,/}/' | grep 'ip6 saddr')'
 if ! grep -Pq 'ip6h+saddrh+::1h+(counterh+packetsh+d+h+bytesh+d+h+)?drop' <<< '$l_ip6saddr' && ! grep -Pq -- 'ip6h+daddrh+!=h+::1h+ip6h+saddrh+::1h+drop' <<< '$l_ip6saddr'; then
 echo -e '
 - Setting IPv6 network traffic from loopback address to drop'
 if [ '$l_hbfw' = 'fwd' ]; then
 firewall-cmd --permanent --add-rich-rule='rule family=ipv6 source address='::1' destination not address='::1' drop'
 firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address='::1' destination not address='::1' drop'
 firewall-cmd --reload
 elif [ '$l_hbfw' = 'nft' ]; then
 nft add rule inet filter input ip6 saddr ::1 counter drop
 fi
 fi
 fi
 fi
}

See Also

https://workbench.cisecurity.org/benchmarks/12705

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.4

Plugin: Unix

Control ID: 5b31d4eeaf1a76e368dd14fc1ef88564df6238b95e4c5233f690d6bd2e210faa