Profile Applicability:
 • Level 1

Description:
 A default deny firewall policy blocks all incoming and forwarding traffic unless explicitly allowed by firewall rules. Configuring nftables with a default deny policy helps protect the system by preventing unauthorized access.

Rationale:
 Implementing a default deny policy reduces the attack surface by allowing only necessary and explicitly permitted traffic, thereby enhancing network security.

Impact:
 Pros:

  • Provides strong baseline protection against unauthorized connections.

  • Encourages explicit definition of allowed traffic.

Cons:

  • Misconfiguration may block legitimate traffic, causing connectivity issues.

Default Value:
 Nftables does not enforce a default deny policy unless configured.

Pre-requisites:

  • Root or sudo privileges to manage nftables rules.

Remediation:

Test Plan:

Using Linux command line:

1. List nftables rules to verify default policies:

nft list table inet filter

2. Confirm default policy for input and forward chains is set to drop.

Implementation Plan:

Using Linux command line:

1. Set default policies to drop if not already set:

nft chain inet filter input { type filter hook input priority 0 \; policy drop \; }  
nft chain inet filter forward { type filter hook forward priority 0 \; policy drop \; }

2. Reload or apply nftables configuration.

Backout Plan:

Using Linux command line:

1. Change default policies back to accept if necessary:

nft chain inet filter input { policy accept \; }  
nft chain inet filter forward { policy accept \; }

2. Reload nftables configuration.

References: