Profile Applicability:
 • Level 1

Description:
 Ensuring that ip6tables firewall rules explicitly exist for all open IPv6 ports guarantees that network traffic is properly controlled and only authorized services are accessible. This reduces the attack surface by preventing unauthorized access.

Rationale:
 Explicit firewall rules for open IPv6 ports enforce security policies and prevent unintended exposure of services to the network.

Impact:
 Pros:

  • Improves system security by tightly controlling network access.

  • Supports compliance with security and auditing requirements.

Cons:

  • Requires ongoing management as open ports change.

Default Value:
 Systems may have open IPv6 ports without corresponding explicit ip6tables rules.

Pre-requisites:

  • Root or sudo privileges to inspect and manage firewall rules.

Remediation:

Test Plan:

Using Linux command line:

1. Identify open IPv6 ports and listening services:

ss -tuln6

2. List current ip6tables rules filtering incoming traffic:

ip6tables -L INPUT -v -n

3. Cross-check open ports against ip6tables rules to ensure each open port has an associated allow rule.

Implementation Plan:

Using Linux command line:

1. For any open port missing an ip6tables allow rule, add the appropriate rule, for example (for TCP port 80):

ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT

2. Save ip6tables rules to persist after reboot:

service ip6tables save  # or equivalent command

3. Verify the rules are applied:

ip6tables -L INPUT -v -n

Backout Plan:

Using Linux command line:

1. Remove any added rules if necessary:

ip6tables -D INPUT -p tcp --dport 80 -j ACCEPT

2. Save changes and verify rule removal.

References: