UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system's local firewall must implement a deny-all, allow-by-exception policy.


Overview

Finding ID Version Rule ID IA Controls Severity
V-227981 GEN008540 SV-227981r854521_rule Medium
Description
A local firewall protects the system from exposing unnecessary or undocumented network services to the local enclave. If a system within the enclave is compromised, firewall protection on an individual system continues to protect it from attack.
STIG Date
Solaris 10 X86 Security Technical Implementation Guide 2022-09-07

Details

Check Text ( C-30143r490381_chk )
If the system is not a global zone, this vulnerability is not applicable.

Check the firewall rules for a default deny rule.
# ipfstat -i

An example of a default deny rule is:
block in log quick on ne3 from any to any.

If there is no default deny rule, this is a finding.
Fix Text (F-30131r490382_fix)
Edit /etc/ipf/ipf.conf and add a default deny rule.
Restart the ipfilter service.
# svcadm restart network/ipfilter