{"description": "The default rules can be strengthened. The system\nscripts that activate the firewall rules expect them to be defined\nin the configuration files <tt>iptables</tt> and <tt>ip6tables</tt> in the directory\n<tt>/etc/sysconfig</tt>. Many of the lines in these files are similar\nto the command line arguments that would be provided to the programs\n<tt>/sbin/iptables</tt> or <tt>/sbin/ip6tables</tt> - but some are quite\ndifferent.\n<br /><br />\nThe following recommendations describe how to strengthen the\ndefault ruleset configuration file. An alternative to editing this\nconfiguration file is to create a shell script that makes calls to\nthe iptables program to load in rules, and then invokes service\niptables save to write those loaded rules to\n<tt>/etc/sysconfig/iptables.</tt>\n<br /><br />\nThe following alterations can be made directly to\n<tt>/etc/sysconfig/iptables</tt> and <tt>/etc/sysconfig/ip6tables</tt>.\nInstructions apply to both unless otherwise noted. Language and address\nconventions for regular iptables are used throughout this section;\nconfiguration for ip6tables will be either analogous or explicitly\ncovered.", "warnings": [{"general": "The program <tt>system-config-securitylevel</tt>\nallows additional services to penetrate the default firewall rules\nand automatically adjusts <tt>/etc/sysconfig/iptables</tt>. This program\nis only useful if the default ruleset meets your security\nrequirements. Otherwise, this program should not be used to make\nchanges to the firewall configuration because it re-writes the\nsaved configuration file."}], "requires": [], "conflicts": [], "values": {}, "groups": ["iptables_icmp_disabled", "iptables_log_and_drop_suspicious"], "rules": ["ip6tables_rules_for_open_ports", "iptables_rules_for_open_ports", "set_iptables_default_rule", "set_iptables_default_rule_forward", "set_iptables_outbound_n_established"], "platform": "package[iptables]", "platforms": ["package[iptables]"], "inherited_platforms": [], "cpe_platform_names": ["package_iptables"], "title": "Strengthen the Default Ruleset", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/group.yml"}