STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Red Hat Enterprise Linux 10 Security Technical Implementation Guide

V-280957

CAT II (Medium)

RHEL 10 must employ a deny-all, allow-by-exception policy for allowing connections to other systems.

Rule ID

SV-280957r1165226_rule

STIG

Red Hat Enterprise Linux 10 Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002314

Discussion

Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DOD data. RHEL 10 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be used in a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.

Check Content

Verify RHEL 10 is configured so that "firewalld" employs a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands (using ens133 as an example interface):

$ sudo  firewall-cmd --state
running

$ sudo firewall-cmd --get-active-zones
drop (default)
   interfaces: ens33

$  sudo firewall-cmd --info-zone=drop | grep target
  target: DROP

$ sudo firewall-cmd --permanent --info-zone=drop | grep target
   target: DROP

If no zones are active on the RHEL 10 interfaces or if runtime and permanent targets are set to an option other than "DROP", this is a finding.

Verify the permanent configuration is valid and there are no misconfigured zones or rules with the following command:

$ sudo firewall-cmd --check-config
success

If this command does not return "success", this is a finding.

Fix Text

Configure RHEL 10 so that the "firewalld" daemon employs a deny-all, allow-by-exception policy with the following commands (using ens133 as an example interface):

Start by adding the exceptions that are required for mission functionality to the "drop" zone. If SSH access on port 22 is needed, for example, run the following: 

$ sudo firewall-cmd --permanent --add-service=ssh --zone=drop

Reload the firewall rules to update the runtime configuration from the "--permanent" changes made above:

$ sudo firewall-cmd --reload

Set the default zone to the drop zone:

$ sudo firewall-cmd --set-default-zone=drop
Note: This is a runtime and permanent change.

Add any interfaces to the newly modified "drop" zone:

$ sudo firewall-cmd --permanent --zone=drop --change-interface=ens33

Reload the firewall rules for changes to take effect:

$ sudo firewall-cmd --reload