Detections
Analytics

4.1.2 Ensure ufw service is configured

Information

The service, ufw.service, manages UFW. This service is responsible for applying and maintaining firewall rules, controlling which network traffic is allowed in and out of the system.

Note:

 - When running ufw enable or starting ufw.service, ufw will flush its chains. This is required so ufw can maintain a consistent state, but it may drop existing connections, eg ssh. ufw does support adding rules before enabling the firewall.
 - Once ufw is 'enabled', ufw will not flush the chains when adding or removing rules (but will when modifying a rule or changing the default policy)
 - By default ufw will prompt when enabling the firewall while running under ssh. This can be disabled by using ufw --force enable

Warning: If a rule for openSSH server does not exist, and openSSH is used to administer the host, the ability to administer and/or connect to the host may be lost.

Example command to create a rule to allow ssh:

# ufw allow proto tcp from any to any port 22

This rule will allow connection to the ssh server from any location. It is highly recommended that this rule be modified to restrict ssh access to only required hosts and to follow local site policy.

 - The rules will still be flushed, but the ssh port will be open after enabling the firewall. Please note that once ufw is 'enabled', ufw will not flush the chains when adding or removing rules (but will when modifying a rule or changing the default policy)
 - By default, ufw will prompt when enabling the firewall while running under ssh. This can be disabled by using ufw --force enable

The ufw service must be enabled and running in order for ufw to protect the system

Solution

Run the following command to unmask the ufw.service :

# systemctl unmask ufw.service

Run the following command to enable and start the ufw.service :

# systemctl --now enable ufw.service

active

Run the following command to enable ufw :

# ufw enable

Impact:

Changing firewall settings while connected over network can result in being locked out of the system.

See Also

https://workbench.cisecurity.org/benchmarks/24932

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(1), CCI|CCI-002314, CSCv7|9.4, Rule-ID|SV-238355r958672_rule, Rule-ID|SV-260515r958672_rule, Rule-ID|SV-270655r1067145_rule

Plugin: Unix

Control ID: 297b55b604ca6b75e76d575692a5db786a9e7b333490f2b69f319e30b4b8e482