Configure Firewalld to Restrict Loopback Traffic
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Description
Configure firewalld
to restrict loopback traffic to the lo
interface.
The loopback traffic must be trusted by assigning the lo
interface to the
firewalld
trusted
zone. However, the loopback traffic must be restricted
to the loopback interface as an anti-spoofing measure.
To configure firewalld
to restrict loopback traffic to the lo
interface,
run the following commands:
sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'
To ensure firewalld
settings are applied in runtime, run the following command:
Rationale
Loopback traffic is generated between processes on machine and is typically critical to
operation of the system. The loopback interface is the only place that loopback network
traffic should be seen, all other interfaces should ignore traffic on this network as an
anti-spoofing measure.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if ! rpm -q --quiet "firewalld" ; then
yum install -y "firewalld"
fi
ipv4_rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
ipv6_rule='rule family=ipv6 source address="::1" destination not address="::1" drop'
if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)"; then
firewall-offline-cmd --zone=trusted --add-rich-rule="${ipv4_rule}"
firewall-offline-cmd --zone=trusted --add-rich-rule="${ipv6_rule}"
elif systemctl is-active firewalld; then
firewall-cmd --permanent --zone=trusted --add-rich-rule="${ipv4_rule}"
firewall-cmd --permanent --zone=trusted --add-rich-rule="${ipv6_rule}"
firewall-cmd --reload
else
echo "
firewalld service is not active. Remediation aborted!
This remediation could not be applied because it depends on firewalld service running.
The service is not started by this remediation in order to prevent connection issues."
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld Package
is Installed
ansible.builtin.package:
name: '{{ item }}'
state: present
with_items:
- firewalld
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-87272-1
- PCI-DSSv4-1.4.1
- configure_strategy
- firewalld_loopback_traffic_restricted
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Configure Firewalld to Restrict Loopback Traffic - Collect Facts About System
Services
ansible.builtin.service_facts: null
register: result_services_states
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-87272-1
- PCI-DSSv4-1.4.1
- configure_strategy
- firewalld_loopback_traffic_restricted
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Configure Firewalld to Restrict Loopback Traffic - Remediation is Applicable
if firewalld Service is Running
block:
- name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld trusted
Zone Restricts IPv4 Loopback Traffic
ansible.builtin.command:
cmd: firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4
source address="127.0.0.1" destination not address="127.0.0.1" drop'
register: result_trusted_ipv4_restriction
changed_when:
- '''ALREADY_ENABLED'' not in result_trusted_ipv4_restriction.stderr'
- name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld trusted
Zone Restricts IPv6 Loopback Traffic
ansible.builtin.command:
cmd: firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6
source address="::1" destination not address="::1" drop'
register: result_trusted_ipv6_restriction
changed_when:
- '''ALREADY_ENABLED'' not in result_trusted_ipv6_restriction.stderr'
- name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld Changes
are Applied
ansible.builtin.service:
name: firewalld
state: reloaded
when:
- result_trusted_ipv4_restriction is changed or result_trusted_ipv6_restriction
is changed
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible_facts.services['firewalld.service'].state == 'running'
tags:
- CCE-87272-1
- PCI-DSSv4-1.4.1
- configure_strategy
- firewalld_loopback_traffic_restricted
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Configure Firewalld to Restrict Loopback Traffic - Informative Message Based
on Service State
ansible.builtin.assert:
that:
- ansible_facts.services['firewalld.service'].state == 'running'
fail_msg:
- firewalld service is not active. Remediation aborted!
- This remediation could not be applied because it depends on firewalld service
running.
- The service is not started by this remediation in order to prevent connection
issues.
success_msg:
- Configure Firewalld to Restrict Loopback Traffic remediation successfully executed
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-87272-1
- PCI-DSSv4-1.4.1
- configure_strategy
- firewalld_loopback_traffic_restricted
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed