3.6.5 Ensure firewall rules exist for all open ports (Scored)

Level 1 - Server
Level 1 - Workstation 

Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.

Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports.

Run the following command to determine open ports:

# netstat -ln
Active Internet connections (only servers)
 Proto Recv-Q Send-Q Local Address Foreign Address State
 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

Run the following command to determine firewall rules:

# iptables -L INPUT -v -n 
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
 0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
 tcp dpt:22 state NEW

Verify all open ports listening on non-localhost addresses have at least one firewall rule.

The last line identified by the “tcp dpt:22 state NEW” identifies it as a firewall rule for new connections on tcp port 22.

For each port identified in the audit which does not have a firewall rule establish a proper rule for accepting inbound connections:

# iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT

Changing firewall settings while connected over network can result in being locked out of the system.
Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well.
The remediation command opens up the port to traffic from all sources. Consult iptables documentation and set any restrictions in compliance with site policy.

  • centos7/3/6/5.txt
  • Last modified: 2017/05/04 17:38
  • by 127.0.0.1