← Rules Catalog
highnetworkverified

Ensure nftables default deny firewall policy

nftables-default-deny · RHEL ≥ 8 · 2 impls

Description

When using nftables directly, the default policy should be to deny all traffic that is not explicitly allowed.

Rationale

A default deny policy ensures that only explicitly allowed traffic can pass through the firewall, reducing the attack surface.

Check → Remediate

Checkcommand
systemctl is-active firewalld >/dev/null 2>&1 && echo 'OK: using firewalld' || { echo 'FAIL: no firewall active'; exit 1; }
expected_exit:
0
Remediatemanual
note:
Enable either firewalld or nftables to enforce firewall policies.

Framework references

CIS

rhel9 4.3.3

NIST 800-53

SC-7

Live verification

rhel9:check
#firewall#nftables#security