Skip to content

3.5.2.8 Ensure nftables default deny firewall policy

Audit#

Run the following commands and verify that base chains contain a policy of DROP. 

# nft list ruleset | grep 'hook input'
type filter hook input priority 0; policy drop;

# nft list ruleset | grep 'hook forward'
type filter hook forward priority 0; policy drop;

# nft list ruleset | grep 'hook output'
type filter hook output priority 0; policy drop;

Remediation#

Run the following command for the base chains with the input, forward, and output hooks to implement a default DROP policy: 

# nft chain <table family> <table name> <chain name> { policy drop \; }

Example: 

# nft chain inet filter input { policy drop \; }
# nft chain inet filter forward { policy drop \; }
# nft chain inet filter output { policy drop \; }

Default Value:

accept