UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system's local firewall must implement a deny-all, allow-by-exception policy.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22583 GEN008540 SV-37985r1_rule ECSC-1 Medium
Description
A local firewall protects the system from exposing unnecessary or undocumented network services to the local enclave. If a system within the enclave is compromised, firewall protection on an individual system continues to protect it from attack.
STIG Date
Red Hat Enterprise Linux 5 Security Technical Implementation Guide 2016-06-01

Details

Check Text ( C-37287r3_chk )
Check the firewall rules for a default deny rule.

# iptables --list

Example of a rule meeting this criteria:
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

A rule using DROP is also acceptable. The default rule should be the last rule of a table and match all traffic.

If there is no default deny rule, this is a finding.
Fix Text (F-32525r2_fix)
Edit "/etc/sysconfig/iptables" and add a default deny rule.

An example of a default deny rule:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Restart the iptable service.
# service iptables restart