mediumnetworkunverified
Ensure firewalld drops spoofed loopback source traffic
firewalld-loopback-source · RHEL ≥ 8 · 1 impl
Description
firewalld must drop packets that claim a loopback source address (127.0.0.0/8, ::1) but arrive on a non-loopback interface, preventing loopback spoofing.
Rationale
Traffic from another host forging a 127.0.0.0/8 or ::1 source can bypass access controls that trust loopback; it must be dropped on real interfaces.
Check → Remediate
Checkcommand
command -v firewall-cmd >/dev/null 2>&1 || { echo "NOT APPLICABLE: firewalld not present"; exit 0; }
# A rich/direct rule must drop 127.0.0.0/8 (and ::1) arriving off-lo.
v4=$(firewall-cmd --permanent --zone=trusted --list-rich-rules 2>/dev/null; firewall-cmd --direct --get-all-rules 2>/dev/null)
if printf '%s' "$v4" | grep -qE '127\.0\.0\.0/8' && printf '%s' "$v4" | grep -qiE 'drop|reject'; then
echo "OK: spoofed loopback source traffic is dropped"
exit 0
fi
echo "FAIL: no firewalld rule drops spoofed 127.0.0.0/8 loopback source traffic"
exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Add drop rules for loopback source addresses arriving off lo, e.g.: firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=127.0.0.0/8 drop' firewall-cmd --permanent --add-rich-rule='rule family=ipv6 source address=::1 drop' then firewall-cmd --reload (ensure lo itself remains in the trusted zone).
Framework references
CIS
rhel8 4.1.6rhel10 4.1.6
NIST 800-53
SC-7AC-4
#firewalld#loopback#spoofing#cis