Configure Firewalld to Use the Nftables Backend

Docs > Plateforme de sécurité Datadog > OOTB Rules > Configure Firewalld to Use the Nftables Backend

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

Firewalld can be configured with many backends, such as nftables.

Rationale

Nftables is modern kernel module for controlling network connections coming into a system. Utilizing the limit statement in “nftables” can help to mitigate DoS attacks.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core && { rpm --quiet -q firewalld; }; then

if [ -e "/etc/firewalld/firewalld.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*FirewallBackend\s*=\s*/d" "/etc/firewalld/firewalld.conf"
else
    touch "/etc/firewalld/firewalld.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/firewalld/firewalld.conf"

cp "/etc/firewalld/firewalld.conf" "/etc/firewalld/firewalld.conf.bak"
# Insert before the line matching the regex '^#\s*FirewallBackend'.
line_number="$(LC_ALL=C grep -n "^#\s*FirewallBackend" "/etc/firewalld/firewalld.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^#\s*FirewallBackend', insert at
    # the end of the file.
    printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/firewalld/firewalld.conf.bak" > "/etc/firewalld/firewalld.conf"
    printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf"
    tail -n "+$(( line_number ))" "/etc/firewalld/firewalld.conf.bak" >> "/etc/firewalld/firewalld.conf"
fi
# Clean up after ourselves.
rm "/etc/firewalld/firewalld.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-86506-3
  - DISA-STIG-RHEL-08-040150
  - NIST-800-53-SC-5
  - firewalld-backend
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Setting unquoted shell-style assignment of 'FirewallBackend' to 'nftables'
    in '/etc/firewalld/firewalld.conf'
  block:

  - name: Check for duplicate values
    ansible.builtin.lineinfile:
      path: /etc/firewalld/firewalld.conf
      create: true
      regexp: (?i)^\s*FirewallBackend=
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/firewalld/firewalld.conf
    ansible.builtin.lineinfile:
      path: /etc/firewalld/firewalld.conf
      create: true
      regexp: (?i)^\s*FirewallBackend=
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/firewalld/firewalld.conf
    ansible.builtin.lineinfile:
      path: /etc/firewalld/firewalld.conf
      create: true
      regexp: (?i)^\s*FirewallBackend=
      line: FirewallBackend=nftables
      state: present
      insertbefore: ^# FirewallBackend
      validate: /usr/bin/bash -n %s
  when:
  - '"kernel-core" in ansible_facts.packages'
  - '"firewalld" in ansible_facts.packages'
  tags:
  - CCE-86506-3
  - DISA-STIG-RHEL-08-040150
  - NIST-800-53-SC-5
  - firewalld-backend
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy