{"description": "Configure the nftables firewall rules for new outbound and established connections", "rationale": "If rules are not in place for new outbound and established connections, all packets\nwill be dropped by the default policy preventing network usage.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "All nftables rules for established incoming, and for new and outbound connections do not match site policy", "ocil": "To verify that all nftables rules on your system for established incoming connections match site policy,\nrun the following command:\n<pre>$ sudo  nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'</pre>\nOutput should be similar to:\n<tt>\n  ip protocol tcp ct state established accept\n  ip protocol udp ct state established accept\n  ip protocol icmp ct state established accept\n</tt>\nTo verify that all nftables rules for new and established outbound connections match site policy,\nrun:\n<pre>$ sudo nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'</pre>\nand output should be similar to:\n<tt>\n  ip protocol tcp ct state established,related,new accept\n  ip protocol udp ct state established,related,new accept\n  ip protocol icmp ct state established,related,new accept\n</tt>\nTo configure nftables in accordance with site policy which will allow all outbound and all\nestablished connections, run the following commands:\n<pre>$ sudo nft add rule inet filter input ip protocol tcp ct state established accept</pre>\n<pre>$ sudo nft add rule inet filter input ip protocol udp ct state established accept</pre>\n<pre>$ sudo nft add rule inet filter input ip protocol icmp ct state established accept</pre>\n<pre>$ sudo nft add rule inet filter output ip protocol tcp ct state new,related,established accept</pre>\n<pre>$ sudo nft add rule inet filter output ip protocol udp ct state new,related,established accept</pre>\n<pre>$ sudo nft add rule inet filter output ip protocol icmp ct state new,related,established accept</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure all outbound and established connections are configured for nftables", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-nftables/set_nftables_new_connections/rule.yml", "template": null}