Profile Applicability:
 • Level 1

Description:
 Configuring nftables to allow outbound and established connections ensures that legitimate traffic initiated by the host and return traffic from established sessions are permitted. This configuration is essential to maintain normal network functionality while securing incoming connections.

Rationale:
 Allowing outbound and established connections supports necessary communication without compromising security, helping maintain a balance between usability and protection.

Impact:
 Pros:

  • Maintains network connectivity for legitimate sessions.

  • Prevents disruption of response traffic.

Cons:

  • Misconfiguration could lead to unintended access or connectivity issues.

Default Value:
 By default, nftables may not have explicit rules for outbound and established connections.

Pre-requisites:

  • Root or sudo privileges to configure nftables.

Remediation:

Test Plan:

Using Linux command line:

1. List current nftables rules to check for outbound and established connection handling:

nft list chain inet filter output  
nft list chain inet filter input

2. Verify rules exist allowing outbound traffic and established/related inbound traffic.

Implementation Plan:

Using Linux command line:

1. Add rules to allow outbound and established/related connections, for example:

nft add rule inet filter output accept  
nft add rule inet filter input ct state established,related accept

2. Reload or apply nftables rules as needed.

Backout Plan:

Using Linux command line:

1. Remove or adjust rules if necessary:

nft delete rule inet filter output handle <handle_number>  
nft delete rule inet filter input handle <handle_number>

2. Verify the firewall state and connectivity.

References: