← Rules Catalog
mediumnetworkunverified

Ensure firewalld drops spoofed loopback source traffic

firewalld-loopback-source · RHEL ≥ 8 · 1 impl

Description

firewalld must drop packets that claim a loopback source address (127.0.0.0/8, ::1) but arrive on a non-loopback interface, preventing loopback spoofing.

Rationale

Traffic from another host forging a 127.0.0.0/8 or ::1 source can bypass access controls that trust loopback; it must be dropped on real interfaces.

Check → Remediate

Checkcommand
command -v firewall-cmd >/dev/null 2>&1 || { echo "NOT APPLICABLE: firewalld not present"; exit 0; }
# A rich/direct rule must drop 127.0.0.0/8 (and ::1) arriving off-lo.
v4=$(firewall-cmd --permanent --zone=trusted --list-rich-rules 2>/dev/null; firewall-cmd --direct --get-all-rules 2>/dev/null)
if printf '%s' "$v4" | grep -qE '127\.0\.0\.0/8' && printf '%s' "$v4" | grep -qiE 'drop|reject'; then
  echo "OK: spoofed loopback source traffic is dropped"
  exit 0
fi
echo "FAIL: no firewalld rule drops spoofed 127.0.0.0/8 loopback source traffic"
exit 1
expected_exit:
0
Remediatemanual
note:
Add drop rules for loopback source addresses arriving off lo, e.g.: firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=127.0.0.0/8 drop' firewall-cmd --permanent --add-rich-rule='rule family=ipv6 source address=::1 drop' then firewall-cmd --reload (ensure lo itself remains in the trusted zone).

Framework references

CIS

rhel8 4.1.6rhel10 4.1.6

NIST 800-53

SC-7AC-4
#firewalld#loopback#spoofing#cis