Configure Firewalld to Trust Loopback Traffic
Description
Assign loopback interface to the firewalld trusted zone in order to
explicitly allow the loopback traffic in the system.
To configure firewalld to trust loopback traffic, run the following command:
sudo firewall-cmd --permanent --zone=trusted --add-interface=lo
To ensure firewalld settings are applied in runtime, run the following command:
Rationale
Loopback traffic is generated between processes on machine and is typically critical to
operation of the system. The loopback interface is the only place that loopback network
traffic should be seen, all other interfaces should ignore traffic on this network as an
anti-spoofing measure.
Shell script
The following script can be run on the host to remediate the issue.
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if ! rpm -q --quiet "firewalld" ; then
dnf install -y "firewalld"
fi
if systemctl is-active firewalld; then
firewall-cmd --permanent --zone=trusted --add-interface=lo
firewall-cmd --reload
else
echo "
firewalld service is not active. Remediation aborted!
This remediation could not be applied because it depends on firewalld service running.
The service is not started by this remediation in order to prevent connection issues."
exit 1
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld Package is
Installed
ansible.builtin.package:
name: '{{ item }}'
state: present
with\_items:
- firewalld
when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86116-1
- configure\_strategy
- firewalld\_loopback\_traffic\_trusted
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- name: Configure Firewalld to Trust Loopback Traffic - Collect Facts About System
Services
ansible.builtin.service\_facts: null
register: result\_services\_states
when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86116-1
- configure\_strategy
- firewalld\_loopback\_traffic\_trusted
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- name: Configure Firewalld to Trust Loopback Traffic - Remediation is Applicable
if firewalld Service is Running
block:
- name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld trusted
Zone Includes lo Interface
ansible.builtin.command:
cmd: firewall-cmd --permanent --zone=trusted --add-interface=lo
register: result\_lo\_interface\_assignment
changed\_when:
- '''ALREADY\_ENABLED'' not in result\_lo\_interface\_assignment.stderr'
- name: Configure Firewalld to Trust Loopback Traffic - Ensure firewalld Changes
are Applied
ansible.builtin.service:
name: firewalld
state: reloaded
when:
- result\_lo\_interface\_assignment is changed
when:
- ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
- ansible\_facts.services['firewalld.service'].state == 'running'
tags:
- CCE-86116-1
- configure\_strategy
- firewalld\_loopback\_traffic\_trusted
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- name: Configure Firewalld to Trust Loopback Traffic - Informative Message Based
on Service State
ansible.builtin.assert:
that:
- ansible\_facts.services['firewalld.service'].state == 'running'
fail\_msg:
- firewalld service is not active. Remediation aborted!
- This remediation could not be applied because it depends on firewalld service
running.
- The service is not started by this remediation in order to prevent connection
issues.
success\_msg:
- Configure Firewalld to Trust Loopback Traffic remediation successfully executed
when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-86116-1
- configure\_strategy
- firewalld\_loopback\_traffic\_trusted
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
