UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets.


Overview

Finding ID Version Rule ID IA Controls Severity
V-50987 OL6-00-000120 SV-65193r1_rule Medium
Description
In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.
STIG Date
Oracle Linux 6 Security Technical Implementation Guide 2019-03-20

Details

Check Text ( C-53429r1_chk )
Inspect the file "/etc/sysconfig/iptables" to determine the default policy for the INPUT chain. It should be set to DROP.

# grep ":INPUT" /etc/sysconfig/iptables

If the default policy for the INPUT chain is not set to DROP, this is a finding.
Fix Text (F-55789r1_fix)
To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/iptables":

:INPUT DROP [0:0]