{"description": "Ubuntu 22.04 incorporates the \"firewalld\" daemon, which allows for many different configurations. One of these configurations is zones.\nZones can be utilized to a deny-all, allow-by-exception approach.\nThe default \"drop\" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.", "rationale": "Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems.\nIt also permits outbound connections that may facilitate exfiltration of data.", "severity": "medium", "references": {"nist": ["AC-17 (1)"], "srg": ["SRG-OS-000297-GPOS-00115"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "no zones are active on the interfaces or if the target is set to a different option other than \"DROP\"", "ocil": "Verify \"firewalld\" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:\n\n$ sudo firewall-cmd --state\n\nrunning\n\n$ sudo firewall-cmd --get-active-zones\n\n[custom]\ninterfaces: ens33\n\n$ sudo firewall-cmd --info-zone=[custom] | grep target\n\ntarget: DROP", "oval_external_content": null, "fixtext": "Configure the \"firewalld\" daemon to employ a deny-all, allow-by-exception with the following commands:\n\n$ sudo firewall-cmd --permanent --new-zone=[custom]\n\n$ sudo cp /usr/lib/firewalld/zones/drop.xml /etc/firewalld/zones/[custom].xml\n\nThis will provide a clean configuration file to work with that employs a deny-all approach. Note: Add the exceptions that are required for mission functionality and update the short title in the xml file to match the [custom] zone name.\n\nReload the firewall rules to make the new [custom] zone available to load:\n$ sudo firewall-cmd --reload\n\nSet the default zone to the new [custom] zone:\n$ sudo firewall-cmd --set-default-zone=[custom]\n\nNote: This is a runtime and permanent change.\nAdd any interfaces to the new [custom] zone:\n$ sudo firewall-cmd --permanent --zone=[custom] --change-interface=ens33\n\nReload the firewall rules for changes to take effect:\n$ sudo firewall-cmd --reload ", "checktext": "", "vuldiscussion": "", "srg_requirement": "A Ubuntu 22.04 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "A Ubuntu 22.04 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.", "fixtext": "Configure the \"firewalld\" daemon to employ a deny-all, allow-by-exception with the following commands:\n\nStart by adding the exceptions that are required for mission functionality to the \"drop\" zone. If SSH access on port 22 is needed, for example, run the following: \"sudo firewall-cmd --permanent --add-service=ssh --zone=drop\"\n\nReload the firewall rules to update the runtime configuration from the \"--permanent\" changes made above:\n$ sudo firewall-cmd --reload\n\nSet the default zone to the drop zone:\n$ sudo firewall-cmd --set-default-zone=drop\nNote: This is a runtime and permanent change.\n\nAdd any interfaces to the newly modified \"drop\" zone:\n$ sudo firewall-cmd --permanent --zone=drop --change-interface=ens33\n\nReload the firewall rules for changes to take effect:\n$ sudo firewall-cmd --reload", "checktext": "Verify the Ubuntu 22.04 \"firewalld\" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:\n\n$ sudo  firewall-cmd --state\n\nrunning\n\n$ sudo firewall-cmd --get-active-zones\n\npublic\n   interfaces: ens33\n\n$ sudo firewall-cmd --info-zone=public | grep target\n\n   target: DROP\n\n$ sudo firewall-cmd --permanent --info-zone=public | grep target\n\n   target: DROP\n\nIf no zones are active on the Ubuntu 22.04 interfaces or if runtime and permanent targets are set to a different option other than \"DROP\", this is a finding.", "vuldiscussion": "Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DOD data.\n\nUbuntu 22.04 incorporates the \"firewalld\" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default \"drop\" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configured_firewalld_default_deny/rule.yml", "template": null}