Skip to content

4.2.4 Ensure ufw loopback traffic is configured

Audit#

Run the following command and verify loopback interface to accept traffic: 

# grep -P -- 'lo|127.0.0.0' /etc/ufw/before.rules

Output includes: 

# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

Run the following command and verify all other interfaces deny traffic to the loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6) 

# ufw status verbose
To          Action      From
--          ------      ----
Anywhere        DENY IN     127.0.0.0/8
Anywhere (v6)       DENY IN     ::1

Note: ufw status only shows rules added with ufw and not the rules found in the /etc/ufw rules files where allow all on loopback is configured by default.

Remediation#

Run the following commands to configure the loopback interface to accept traffic: 

# ufw allow in on lo
# ufw allow out on lo

Run the following commands to configure all other interfaces to deny traffic to the loopback network: 

# ufw deny in from 127.0.0.0/8
# ufw deny in from ::1

Default Value: 

# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT