3.5.2.7 Ensure nftables outbound and established connections are configured
Audit#
Run the following commands and verify all rules for established incoming connections match site policy: site policy:
Output should be similar to:
ip protocol tcp ct state established accept
ip protocol udp ct state established accept
ip protocol icmp ct state established accept
Run the folllowing command and verify all rules for new and established outbound connections match site policy
Output should be similar to:
ip protocol tcp ct state established,related,new accept
ip protocol udp ct state established,related,new accept
ip protocol icmp ct state established,related,new accept
Remediation#
Configure nftables in accordance with site policy. The following commands will implement a policy to allow all outbound connections and all established connections:
# nft add rule inet filter input ip protocol tcp ct state established accept
# nft add rule inet filter input ip protocol udp ct state established accept
# nft add rule inet filter input ip protocol icmp ct state established accept
# nft add rule inet filter output ip protocol tcp ct state new,related,established accept
# nft add rule inet filter output ip protocol udp ct state new,related,established accept
# nft add rule inet filter output ip protocol icmp ct state new,related,established accept