Description of problem: The below section causes all incoming traffic to be accepted. Location in https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-index.html (Profile: DISA STIG ) firewalld > Strengthen the Default Ruleset > Configure firewalld To Rate Limit Connections Configure firewalld To Rate Limit Connections: ============================================== Configure firewalld To Rate Limit Connections [ref]rule Create a direct firewall rule to protect against DoS attacks with the following command: $ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT Rationale: DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. Version-Release number of selected component (if applicable): Current version: 0.1.40 How reproducible: Every time Steps to Reproduce: 1.# firewall-cmd --set-default-zone=drop 2.# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT 3.# firewall-cmd --reload Actual results: All traffic is accepted Expected results: Anything that is not explicitly open to be dropped Additional info: If the command is change to -j INPUT_ZONES in stead of -j ACCEPT the traffic is rate limited as expected and the packets are filtered by the zones as intended. # firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j INPUT_ZONES [root@firewalld ~]# firewall-cmd --perm --set-default-zone=drop [root@firewalld ~]# firewall-cmd --perm --add-service=ssh [root@firewalld ~]# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j INPUT_ZONES [root@firewalld ~]firewall-cmd --reload [root@firewalld ~]# nc -l 5255 & [root@firewalld-client ~]# nc 10.12.214.19 5255 Ncat: Connection timed out. [root@firewalld-client ~]# nc 10.12.214.19 22 SSH-2.0-OpenSSH_7.4 [root@firewalld ~]# iptables -vnxL ----------------snip------------------------- Chain INPUT_direct (1 references) pkts bytes target prot opt in out source destination 9 540 INPUT_ZONES tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100 Chain INPUT_ZONES (2 references) pkts bytes target prot opt in out source destination 166 22758 IN_drop all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 IN_drop all -- + * 0.0.0.0/0 0.0.0.0/0 Chain IN_drop (2 references) pkts bytes target prot opt in out source destination 166 22758 IN_drop_log all -- * * 0.0.0.0/0 0.0.0.0/0 166 22758 IN_drop_deny all -- * * 0.0.0.0/0 0.0.0.0/0 166 22758 IN_drop_allow all -- * * 0.0.0.0/0 0.0.0.0/0 165 22698 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain IN_drop_allow (1 references) pkts bytes target prot opt in out source destination 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW Chain INPUT_ZONES (1 references) pkts bytes target prot opt in out source destination 5842 412K IN_drop all -- ens192 * 0.0.0.0/0 0.0.0.0/0 0 0 IN_drop all -- + * 0.0.0.0/0 0.0.0.0/0 Chain IN_drop (2 references) pkts bytes target prot opt in out source destination 5842 412K IN_drop_log all -- * * 0.0.0.0/0 0.0.0.0/0 5842 412K IN_drop_deny all -- * * 0.0.0.0/0 0.0.0.0/0 5842 412K IN_drop_allow all -- * * 0.0.0.0/0 0.0.0.0/0 1084 154K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Hello, good catch, and I agree it's a problem. After further investigation, I would suggest to replace `-j ACCEPT` with `-j DROP` to follow the idea of the rule. (I.e. to help mitigate DoS attacks). Little trouble is that what you found is issue in official DISA STIG for RHEL7. So it's nothing we can change easily (without having guidance differing from the offical). But we will reach out to DISA.
Ah, I realized now that limit works the other way around. So -j DROP is definitely not what we want :)
Upstream issue: https://github.com/ComplianceAsCode/content/issues/3495
In STIG V2R3 rule RHEL-07-040510 has a different fixtext, that doesn't involve creating a firewall rule but uses sysctls for ratelimiting. Fixtext: Set the system to implement rate-limiting measures by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value): net.ipv4.tcp_invalid_ratelimit = 500 Issue the following command to make the changes take # sysctl --system linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/rule.yml should be updated to reflect that.
Fixed upstream in https://github.com/ComplianceAsCode/content/pull/5126
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3909