highnetworkverified ✓
Ensure nftables default deny firewall policy
nftables-default-deny · RHEL ≥ 8 · 2 impls
Description
When using nftables directly, the default policy should be to deny all traffic that is not explicitly allowed.
Rationale
A default deny policy ensures that only explicitly allowed traffic can pass through the firewall, reducing the attack surface.
Check → Remediate
Checkcommand
systemctl is-active firewalld >/dev/null 2>&1 && echo 'OK: using firewalld' || { echo 'FAIL: no firewall active'; exit 1; }- expected_exit:
- 0
Remediatemanual
- note:
- Enable either firewalld or nftables to enforce firewall policies.
Framework references
CIS
rhel9 4.3.3
NIST 800-53
SC-7
Live verification
rhel9:check
#firewall#nftables#security