3.5.2.8 Ensure nftables default deny firewall policy - input

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Base chain policy is the default verdict that will be applied to packets reaching the end of the chain.

Rationale:

There are two policies: accept (Default) and drop. If the policy is set to accept, the firewall will accept any packet that is not configured to be denied and the packet will continue transversing the network stack.

It is easier to white list acceptable usage than to black list unacceptable usage.

Note: Changing firewall settings while connected over network can result in being locked out of the system.

Impact:

If configuring nftables over ssh, creating a base chain with a policy of drop will cause loss of connectivity.

Ensure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop.

NOTE: Nessus has determined that this check is not applicable to the target device as it is currently configured. Please review the benchmark to ensure target compliance.

Solution

Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy:

# nft chain <table family> <table name> <chain name> { policy drop ; }

Example:

# nft chain inet filter input { policy drop ; }

# nft chain inet filter forward { policy drop ; }

# nft chain inet filter output { policy drop ; }

Default Value:

accept

See Also

https://workbench.cisecurity.org/files/3208