mediumnetworkverified ✓
Ensure firewalld implements a deny-all allow-by-exception policy
firewalld-default-deny · RHEL ≥ 8 · 1 impl
Description
Firewalld must be configured with a deny-all default policy, allowing only explicitly permitted traffic. The default zone must drop or reject all unauthorized traffic.
Rationale
A deny-all firewall policy ensures that only traffic explicitly authorized by the ISSM is permitted. Without a default deny policy, unauthorized network connections may be allowed, increasing the attack surface.
Check → Remediate
Checkcommand
zone=$(firewall-cmd --get-default-zone 2>/dev/null) && target=$(firewall-cmd --zone="$zone" --list-all 2>/dev/null | grep 'target:' | awk '{print $2}') && echo "$target" | grep -qiE 'DROP|REJECT|%%REJECT%%'
- expected_exit:
- 0
Remediatemanual
- note:
- Configure the default firewalld zone to use a deny-all policy: firewall-cmd --set-default-zone=drop --permanent firewall-cmd --reload Then explicitly allow required services and ports.
Framework references
CIS
rhel8 4.1.4rhel10 4.1.4
STIG
V-280957 / RHEL-10-200532V-257937 / RHEL-09-251020V-230504
NIST 800-53
SC-7CM-7
Live verification
rhel8:check
#firewall#firewalld#default-deny#network