setting loopback rules in firewalld according to CIS

Question

I need to set up firewalld on RHEL7 according to CIS.

In 3.6.3 Ensure loopback traffic is configured (Scored) I need to configure the loopback interface to accept traffic and configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8).

Can anyone help me with this.

My current configuration is :

firewall-cmd --permanent --zone=trusted --add-interface=lo

but it is not according to CIS requirements.

Answer 1

The intent of CIS 3.6.3 is to prevent spoofed traffic that is purportedly from 127.0.0.1, coming in to external interfaces such as eth0.

In my setup, all interfaces default to the "drop" zone, so in order to allow all legitimate traffic on loopback that isn't headed for an external interface, I first bind lo to the "trusted" zone, as in your command above:

firewall-cmd --permanent --zone=trusted --add-interface=lo

Then, I add a firewalld rich rule to the "drop" zone, where eth0 is bound, to drop any inbound IPv4 traffic that has a source address of 127.0.0.1 but a destination address that is anything other than 127.0.0.1.

firewall-cmd --zone=drop --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'

I think that this satisfies the intent of CIS 3.6.3, although note that, at least on my setup, it does not satisfy the sample audit script given in the CIS RHEL7 benchmark document. That's because the CIS sample audit script tests specifically for the drop rule being present in the INPUT chain in iptables, whereas firewalld puts my rich rule into a sub-chain called IN_drop_deny.