{"description": "Configure the firewall rules for new outbound and established connections.", "rationale": "If rules are not in place for new outbound, and established connections all packets will\nbe dropped by the default policy preventing network usage.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "there are no rules configuring outbound or established connections", "ocil": "Inspect the output of commands:\n<pre>$ iptables -L -v -n</pre>\n, or for IPv6\n<pre>$ ip6tables -L -v -n</pre>\n, to inspect that rules for new outbound, and established connections match site policy", "oval_external_content": null, "fixtext": "Configure iptables in accordance with site policy. The following commands will implement\na policy to allow all outbound connections and all established connections:\n<pre>\n# iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT\n# iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT\n# iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT\n# iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT\n# iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT\n# iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT\n</pre>\n,use ip6tables in case of IPv6 is enabled and IPv6 rules need to be configured", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "Changing firewall settings while connected over network can result in being\nlocked out of the system."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {"platform": ["multi_platform_all"], "environment": "any", "filename": "set_iptables_outbound_n_established.sh", "relative_path": "ubuntu2204/checks/sce/set_iptables_outbound_n_established.sh"}, "inherited_platforms": ["package[iptables]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_iptables"], "bash_conditional": null, "fixes": {}, "title": "Ensure Outbound and Established Connections are Configured", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/set_iptables_outbound_n_established/rule.yml", "template": null}