The RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-257937 | RHEL-09-251020 | SV-257937r1106310_rule | CCI-000366 | medium |
| Description | ||||
| Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DOD data. RHEL 9 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. | ||||
| STIG | Date | |||
| Red Hat Enterprise Linux 9 Security Technical Implementation Guide | 2025-05-14 | |||
Details
Check Text (C-257937r1106310_chk)
Verify the RHEL 9 firewalld is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands:
Ensure firewalld is running:
$ sudo firewall-cmd --state
running
Identify active zones:
$ sudo firewall-cmd --get-active-zones
drop
interfaces: ens192
Check what rules are applied in that zone:
$ sudo firewall-cmd --list-all --zone=$(firewall-cmd --get-default-zone)
drop (active)
target: DROP
icmp-block-inversion: no
interfaces: ens192
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
If no zones are active on the RHEL 9 interfaces or if runtime and permanent targets are set to a different option other than "DROP", this is a finding.
Fix Text (F-61602r1102092_fix)
Configure the "firewalld" daemon to employ a deny-all, allow-by-exception policy with the following commands:
Start by adding the exceptions that are required for mission functionality to the "drop" zone. If SSH access on port 22 is needed, for example, run the following: "sudo firewall-cmd --permanent --add-service=ssh --zone=drop"
Reload the firewall rules to update the runtime configuration from the "--permanent" changes made above:
$ sudo firewall-cmd --reload
Set the default zone to the drop zone:
$ sudo firewall-cmd --set-default-zone=drop
Note: This is a runtime and permanent change.
Add any interfaces to the newly modified "drop" zone:
$ sudo firewall-cmd --permanent --zone=drop --change-interface=ens192
Reload the firewall rules for changes to take effect:
$ sudo firewall-cmd --reload