Check: FreeBSD-10-002310
FreeBSD 10:
FreeBSD-10-002310
(in version v1 r1)
Title
The operating system must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems. (Cat II impact)
Discussion
Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. Satisfies: SRG-OS-000480-GPOS-00231
Check Content
Verify the operating system employs a deny-all, allow-by-exception firewall policy for allowing connections to other systems. If it does not, this is a finding. Ensure PF is enabled: $ grep pf_ /etc/rc.conf pf_enable="YES" pf_flags="" "pf_enable" must be set to YES. (There may be additional lines.) $ pfctl -s rules block drop all pass in proto tcp from any to any port = http flags S/SA keep state pass in proto tcp from any to any port = ssh flags S/SA keep state pass out proto tcp from any to any port = http flags S/SA keep state pass out proto tcp from any to any port = ssh flags S/SA keep state If the first line does not indicate "block drop all", this is a finding.
Fix Text
Configure the operating system to employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
Additional Identifiers
Rule ID:
Vulnerability ID: V-2310
Group Title:
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000366 |
The organization implements the security configuration settings. |
| CCI-002080 |
The organization employs either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems. |