UCF STIG Viewer Logo

The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets.


Overview

Finding ID Version Rule ID IA Controls Severity
V-219579 OL6-00-000320 SV-219579r793836_rule Medium
Description
In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.
STIG Date
Oracle Linux 6 Security Technical Implementation Guide 2021-12-03

Details

Check Text ( C-21304r462352_chk )
Run the following command to ensure the default "FORWARD" policy is "DROP":

grep ":FORWARD" /etc/sysconfig/iptables

The output must be the following:

# grep ":FORWARD" /etc/sysconfig/iptables
:FORWARD DROP [0:0]

If it is not, this is a finding.
Fix Text (F-21303r462353_fix)
To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in "/etc/sysconfig/iptables":

:FORWARD DROP [0:0]