{"description": "Configure <tt>firewalld</tt> to restrict loopback traffic to the <tt>lo</tt> interface.\n\nThe loopback traffic must be trusted by assigning the <tt>lo</tt> interface to the\n<tt>firewalld</tt> <tt>trusted</tt> zone. However, the loopback traffic must be restricted\nto the loopback interface as an anti-spoofing measure.\n\nTo configure <tt>firewalld</tt> to restrict loopback traffic to the <tt>lo</tt> interface,\nrun the following commands:\n<pre>\nsudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address=\"127.0.0.1\" destination not address=\"127.0.0.1\" drop'\nsudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address=\"::1\" destination not address=\"::1\" drop'\n</pre>\n\nTo ensure <tt>firewalld</tt> settings are applied in runtime, run the following command:\n<pre>firewall-cmd --reload</pre>", "rationale": "Loopback traffic is generated between processes on machine and is typically critical to\noperation of the system. The loopback interface is the only place that loopback network\ntraffic should be seen, all other interfaces should ignore traffic on this network as an\nanti-spoofing measure.", "severity": "medium", "references": {"pcidss4": ["1.4.1", "1.4"]}, "control_references": {"pcidss4": ["1.4.1", "1.4"]}, "components": [], "identifiers": {}, "ocil_clause": "loopback traffic is not restricted", "ocil": "Inspect the firewalld trusted and default zones and verify the loopback traffic is restricted\nto the <tt>lo</tt> interface by running the following command:\n\n<pre>$ sudo firewall-cmd --list-rich-rules --zone=trusted</pre>\n\nThe following rich-rules should be listed:\n<pre>\nrule family=\"ipv4\" source address=\"127.0.0.1\" destination not address=\"127.0.0.1\" drop\nrule family=\"ipv6\" source address=\"::1\" destination not address=\"127.0.0.1\" drop\n</pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to restrict loopback traffic using the following commands:\n\n$ sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address=\"127.0.0.1\" destination not address=\"127.0.0.1\" drop'\n$ sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address=\"::1\" destination not address=\"::1\" drop'\n$ sudo firewall-cmd --reload", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure Firewalld to Restrict Loopback Traffic", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/rule.yml", "template": null}