Title

The system's local firewall must implement a deny-all, allow-by-exception policy. (Cat II impact)

Discussion

A local firewall protects the system from exposing unnecessary or undocumented network services to the local enclave. If a system within the enclave is compromised, firewall protection on an individual system continues to protect it from attack.

Check Content

If the system is not a global zone, this vulnerability is not applicable. Check the firewall rules for a default deny rule. # ipfstat -i An example of a default deny rule is: block in log quick on ne3 from any to any. If there is no default deny rule, this is a finding.

Fix Text

Edit /etc/ipf/ipf.conf and add a default deny rule. Restart the ipfilter service. # svcadm restart network/ipfilter

Additional Identifiers

Rule ID: SV-227981r854521_rule

Vulnerability ID: V-227981

Group Title: SRG-OS-000297

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.