Configure Firewalld to Trust Loopback Traffic

Description

Assign loopback interface to the firewalld trusted zone in order to explicitly allow the loopback traffic in the system.

To configure firewalld to trust loopback traffic, run the following command:

sudo firewall-cmd --permanent --zone=trusted --add-interface=lo

To ensure firewalld settings are applied in runtime, run the following command:

firewall-cmd --reload

Rationale

Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "firewalld" ; then
    dnf install -y "firewalld"
fi

if systemctl is-active firewalld; then
    firewall-cmd --permanent --zone=trusted --add-interface=lo
    firewall-cmd --reload
else
    echo "
    firewalld service is not active. Remediation aborted!
    This remediation could not be applied because it depends on firewalld service running.
    The service is not started by this remediation in order to prevent connection issues."
    exit 1
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld Package is
    Installed
  ansible.builtin.package:
    name: '{{ item }}'
    state: present
  with_items:
  - firewalld
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-86116-1
  - PCI-DSSv4-1.4.1
  - configure_strategy
  - firewalld_loopback_traffic_trusted
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Configure Firewalld to Trust Loopback Traffic - Collect Facts About System
    Services
  ansible.builtin.service_facts: null
  register: result_services_states
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-86116-1
  - PCI-DSSv4-1.4.1
  - configure_strategy
  - firewalld_loopback_traffic_trusted
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Configure Firewalld to Trust Loopback Traffic - Remediation is Applicable
    if firewalld Service is Running
  block:

  - name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld trusted
      Zone Includes lo Interface
    ansible.builtin.command:
      cmd: firewall-cmd --permanent --zone=trusted --add-interface=lo
    register: result_lo_interface_assignment
    changed_when:
    - '''ALREADY_ENABLED'' not in result_lo_interface_assignment.stderr'

  - name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld Changes
      are Applied
    ansible.builtin.service:
      name: firewalld
      state: reloaded
    when:
    - result_lo_interface_assignment is changed
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_facts.services['firewalld.service'].state == 'running'
  tags:
  - CCE-86116-1
  - PCI-DSSv4-1.4.1
  - configure_strategy
  - firewalld_loopback_traffic_trusted
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Configure Firewalld to Trust Loopback Traffic - Informative Message Based
    on Service State
  ansible.builtin.assert:
    that:
    - ansible_facts.services['firewalld.service'].state == 'running'
    fail_msg:
    - firewalld service is not active. Remediation aborted!
    - This remediation could not be applied because it depends on firewalld service
      running.
    - The service is not started by this remediation in order to prevent connection
      issues.
    success_msg:
    - Configure Firewalld to Trust Loopback Traffic remediation successfully executed
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-86116-1
  - PCI-DSSv4-1.4.1
  - configure_strategy
  - firewalld_loopback_traffic_trusted
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed