Configure Firewalld to Restrict Loopback Traffic

Docs > Datadog Security > OOTB Rules > Configure Firewalld to Restrict Loopback Traffic

Classification:

compliance

Framework:

Control:

Description

Configure firewalld to restrict loopback traffic to the lo interface.

The loopback traffic must be trusted by assigning the lo interface to the firewalld trusted zone. However, the loopback traffic must be restricted to the loopback interface as an anti-spoofing measure.

To configure firewalld to restrict loopback traffic to the lo interface, run the following commands:


sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'

To ensure firewalld settings are applied in runtime, run the following command:

firewall-cmd --reload

Rationale

Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "firewalld" ; then
 dnf install -y "firewalld"
fi

if systemctl is-active firewalld; then
 firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
 firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'
 firewall-cmd --reload
else
 echo "
 firewalld service is not active. Remediation aborted!
 This remediation could not be applied because it depends on firewalld service running.
 The service is not started by this remediation in order to prevent connection issues."
 exit 1
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld Package
 is Installed
 ansible.builtin.package:
 name: '{{ item }}'
 state: present
 with\_items:
 - firewalld
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-86137-7
 - configure\_strategy
 - firewalld\_loopback\_traffic\_restricted
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Configure Firewalld to Restrict Loopback Traffic - Collect Facts About System
 Services
 ansible.builtin.service\_facts: null
 register: result\_services\_states
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-86137-7
 - configure\_strategy
 - firewalld\_loopback\_traffic\_restricted
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Configure Firewalld to Restrict Loopback Traffic - Remediation is Applicable
 if firewalld Service is Running
 block:

 - name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld trusted
 Zone Restricts IPv4 Loopback Traffic
 ansible.builtin.command:
 cmd: firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4
 source address="127.0.0.1" destination not address="127.0.0.1" drop'
 register: result\_trusted\_ipv4\_restriction
 changed\_when:
 - '''ALREADY\_ENABLED'' not in result\_trusted\_ipv4\_restriction.stderr'

 - name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld trusted
 Zone Restricts IPv6 Loopback Traffic
 ansible.builtin.command:
 cmd: firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6
 source address="::1" destination not address="::1" drop'
 register: result\_trusted\_ipv6\_restriction
 changed\_when:
 - '''ALREADY\_ENABLED'' not in result\_trusted\_ipv6\_restriction.stderr'

 - name: Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld Changes
 are Applied
 ansible.builtin.service:
 name: firewalld
 state: reloaded
 when:
 - result\_trusted\_ipv4\_restriction is changed or result\_trusted\_ipv6\_restriction
 is changed
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - ansible\_facts.services['firewalld.service'].state == 'running'
 tags:
 - CCE-86137-7
 - configure\_strategy
 - firewalld\_loopback\_traffic\_restricted
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Configure Firewalld to Restrict Loopback Traffic - Informative Message Based
 on Service State
 ansible.builtin.assert:
 that:
 - ansible\_facts.services['firewalld.service'].state == 'running'
 fail\_msg:
 - firewalld service is not active. Remediation aborted!
 - This remediation could not be applied because it depends on firewalld service
 running.
 - The service is not started by this remediation in order to prevent connection
 issues.
 success\_msg:
 - Configure Firewalld to Restrict Loopback Traffic remediation successfully executed
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-86137-7
 - configure\_strategy
 - firewalld\_loopback\_traffic\_restricted
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed