iCompaas Support

Profile Applicability:
 • Level 1

Description:
 By default, nftables rules exist only in memory and are lost after a system reboot. Ensuring nftables rules are saved and restored on boot maintains firewall policies consistently and protects the system from unauthorized network traffic.

Rationale:
 Making nftables rules permanent prevents accidental removal of firewall rules after reboot, ensuring continuous enforcement of security policies.

Impact:
 Pros:

• Maintains firewall rule consistency across system reboots.
  

• Enhances system security by avoiding unprotected states.
  

Cons:

• Requires proper rule management and backup.
  

Default Value:
 Nftables rules are not saved permanently by default unless explicitly configured.

Pre-requisites:

• Root or sudo privileges to manage firewall rules and system services.
  

Remediation:

Test Plan:

Using Linux command line:

1. Check if nftables rules are currently saved:

nft list ruleset

2. Verify if rules persist after reboot by reviewing saved configuration files, usually /etc/nftables.conf.

Implementation Plan:

Using Linux command line:

1. Save current nftables rules to the configuration file:

nft list ruleset > /etc/nftables.conf

2. Enable and start the nftables service to load rules on boot:

systemctl enable nftables  
systemctl start nftables

3. Verify the service is enabled:

systemctl is-enabled nftables

Backout Plan:

Using Linux command line:

1. Disable nftables service if necessary:

systemctl disable nftables  
systemctl stop nftables

2. Remove or backup /etc/nftables.conf if needed.

References:

• CIS Amazon Linux 2 Benchmark v3.0.0
  

• nftables Documentation
  

• Systemd Service Management