Ensure firewalld Drops Unnecessary Services and Ports : iCompaas Support

Profile Applicability:
• Level 1

Description:
firewalld provides dynamic firewall management, allowing administrators to control services and ports exposed on the system. Manually reviewing and configuring firewalld to drop all unnecessary services and ports reduces the attack surface and enhances security.

Rationale:
Dropping unused services and closing unnecessary ports prevents unauthorized access and limits exposure to potential network attacks.

Impact:
Pros:

Minimizes the risk of exploitation through open services and ports.
Helps maintain a secure and compliant network posture.

Cons:

Requires thorough understanding of legitimate service requirements to avoid disrupting operations.
Manual configuration may be time-consuming.

Default Value:
firewalld may allow default services or ports based on zone configurations.

Pre-requisites:

Root or sudo privileges to configure firewalld.

Remediation:

Test Plan:

Using Linux command line:

1. List active firewalld zones and associated services/ports:

firewall-cmd --get-active-zones  
firewall-cmd --zone=<zone> --list-services  
firewall-cmd --zone=<zone> --list-ports

2. Identify unnecessary services and ports exposed in each zone.

Implementation Plan:

Using Linux command line:

1. Remove unnecessary services from the firewalld zone:

firewall-cmd --zone=<zone> --remove-service=<service> --permanent

2. Remove unnecessary ports from the firewalld zone:

firewall-cmd --zone=<zone> --remove-port=<port>/tcp --permanent
firewall-cmd --zone=<zone> --remove-port=<port>/udp --permanent

3. Reload firewalld to apply changes:

firewall-cmd --reload

4. Verify services and ports are removed:

firewall-cmd --zone=<zone> --list-services  
firewall-cmd --zone=<zone> --list-ports

Backout Plan:

Using Linux command line:

1. Re-add services or ports if necessary:

firewall-cmd --zone=<zone> --add-service=<service> --permanent  
firewall-cmd --zone=<zone> --add-port=<port>/tcp --permanent  
firewall-cmd --zone=<zone> --add-port=<port>/udp --permanent

2. Reload firewalld and verify.

References:

CIS Amazon Linux 2 Benchmark v3.0.0
firewalld Documentation
NIST SP 800-53 Revision 5 - SC-7

Ensure firewalld Drops Unnecessary Services and Ports Print

Test Plan:

Implementation Plan:

Backout Plan:

Related Articles