{"description": "The system must have exactly one active firewall service running to avoid conflicts\nand ensure consistent packet filtering. Only one of the following services should\nbe enabled and active at any time:\n<ul>\n    <li>ufw - Uncomplicated Firewall (Ubuntu/Debian default)</li>\n    <li>iptables - Classic Linux firewall</li>\n    <li>nftables - Next Generation Firewall replacement for iptables</li>\n</ul>\nHaving zero active firewalls leaves the system vulnerable, while having multiple\nactive firewalls can lead to rule conflicts and security gaps.", "rationale": "Running multiple firewall services simultaneously can lead to conflicts in rule\nprocessing, unpredictable behavior, and potential security gaps. A single\nfirewall service ensures consistent and predictable packet filtering.\n\nHaving no active firewall service leaves the system exposed to network-based\nattacks and unauthorized access.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": null, "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This rule does not come with a remediation. There are specific rules\nfor enabling each firewall which should be enabled instead."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "machine", "platforms": ["machine"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["machine"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure Only One Firewall Service is Active", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/firewall_single_service_active/rule.yml", "template": null}