AlmaLinux OS 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-269246	SRG-OS-000480-GPOS-00227	ALMA-09-018830	SV-269246r1050780_rule	2025-02-20	1

Description
Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DOD data. AlmaLinux OS 9 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be used to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.

Description

Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DOD data. AlmaLinux OS 9 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be used to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.

ℹ️ Check
Verify the AlmaLinux OS 9 "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems. First ensure firewalld is running: $ firewall-cmd --state running Next, get the active zones: $ firewall-cmd --get-active-zones public interfaces: enp1s0 Check the target of the zones returned from the previous command: $ firewall-cmd --info-zone=public \| grep target target: DROP Check the runtime and permanent rules match: $ firewall-cmd --permanent --info-zone=public \| grep target target: DROP If no zones are active on the AlmaLinux OS 9 interfaces or if runtime and permanent targets are set to a different option other than "DROP", this is a finding.

ℹ️ Check

Verify the AlmaLinux OS 9 "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems. First ensure firewalld is running: $ firewall-cmd --state running Next, get the active zones: $ firewall-cmd --get-active-zones public interfaces: enp1s0 Check the target of the zones returned from the previous command: $ firewall-cmd --info-zone=public | grep target target: DROP Check the runtime and permanent rules match: $ firewall-cmd --permanent --info-zone=public | grep target target: DROP If no zones are active on the AlmaLinux OS 9 interfaces or if runtime and permanent targets are set to a different option other than "DROP", this is a finding.

✔️ Fix
Configure the "firewalld" daemon to employ a deny-all, allow-by-exception. Start by adding the exceptions that are required for mission functionality to the "drop" zone. If SSH access on port 22 is needed for example, run the following command: $ firewall-cmd --permanent --add-service=ssh --zone=drop Set the default zone to the "drop" zone: $ firewall-cmd --set-default-zone=drop Note: This is a runtime and a permanent change. Add any interfaces to the newly modified "drop" zone: $ firewall-cmd --permanent --zone=drop --change-interface=enp1s0 Reload the firewall rules for changes to take effect: $ firewall-cmd --reload Check zones and interfaces: $ firewall-cmd --get-active-zones drop interfaces: enp1s0 Check new default zone's target is set to "DROP": $ firewall-cmd --permanent --info-zone=drop \| grep target target: DROP The same outcome is achieved by creating a new zone, for example: $ firewall-cmd --permanent --new-zone=stig $ firewall-cmd --reload $ firewall-cmd --permanent --change-interface=enp1s0 --zone=stig $ firewall-cmd --permanent --add-service=ssh --zone=stig $ firewall-cmd --permanent --set-target=DROP --zone=stig $ firewall-cmd --set-default-zone=stig

✔️ Fix

Configure the "firewalld" daemon to employ a deny-all, allow-by-exception. Start by adding the exceptions that are required for mission functionality to the "drop" zone. If SSH access on port 22 is needed for example, run the following command: $ firewall-cmd --permanent --add-service=ssh --zone=drop Set the default zone to the "drop" zone: $ firewall-cmd --set-default-zone=drop Note: This is a runtime and a permanent change. Add any interfaces to the newly modified "drop" zone: $ firewall-cmd --permanent --zone=drop --change-interface=enp1s0 Reload the firewall rules for changes to take effect: $ firewall-cmd --reload Check zones and interfaces: $ firewall-cmd --get-active-zones drop interfaces: enp1s0 Check new default zone's target is set to "DROP": $ firewall-cmd --permanent --info-zone=drop | grep target target: DROP The same outcome is achieved by creating a new zone, for example: $ firewall-cmd --permanent --new-zone=stig $ firewall-cmd --reload $ firewall-cmd --permanent --change-interface=enp1s0 --zone=stig $ firewall-cmd --permanent --add-service=ssh --zone=stig $ firewall-cmd --permanent --set-target=DROP --zone=stig $ firewall-cmd --set-default-zone=stig