Skip to content

3.5.1.6 Ensure ufw firewall rules exist for all open ports

Audit#

Run the following script to verify a firewall rule exists for all open ports: 

#!/usr/bin/env bash
ufw_out="$(ufw status verbose)"
ss -tuln | awk '($5!~/%lo:/ && $5!~/127.0.0.1:/ && $5!~/::1/) {split($5, a, ":"); print a[2]}' | sort | uniq | while read -r lpn; do
 ! grep -Pq "^\h*$lpn\b" <<< "$ufw_out" && echo "- Port: \"$lpn\" is missing a firewall rule"
done

Nothing should be returned

Remediation#

For each port identified in the audit which does not have a firewall rule, add rule for accepting or denying inbound connections:

Example: 

# ufw allow in <port>/<tcp or udp protocol>