← Rules Catalog
mediumnetworkverified

Ensure firewalld implements a deny-all allow-by-exception policy

firewalld-default-deny · RHEL ≥ 8 · 1 impl

Description

Firewalld must be configured with a deny-all default policy, allowing only explicitly permitted traffic. The default zone must drop or reject all unauthorized traffic.

Rationale

A deny-all firewall policy ensures that only traffic explicitly authorized by the ISSM is permitted. Without a default deny policy, unauthorized network connections may be allowed, increasing the attack surface.

Check → Remediate

Checkcommand
zone=$(firewall-cmd --get-default-zone 2>/dev/null) && target=$(firewall-cmd --zone="$zone" --list-all 2>/dev/null | grep 'target:' | awk '{print $2}') && echo "$target" | grep -qiE 'DROP|REJECT|%%REJECT%%'
expected_exit:
0
Remediatemanual
note:
Configure the default firewalld zone to use a deny-all policy: firewall-cmd --set-default-zone=drop --permanent firewall-cmd --reload Then explicitly allow required services and ports.

Framework references

CIS

rhel8 4.1.4rhel10 4.1.4

STIG

V-280957 / RHEL-10-200532V-257937 / RHEL-09-251020V-230504

NIST 800-53

SC-7CM-7

Live verification

rhel8:check
#firewall#firewalld#default-deny#network