CME-202
Host-Based Firewall (firewalld/nftables)
Description
Per-host network access control using firewalld zones or nftables rules. Restricts which network sources can reach specific services, reducing attack surface.
CVSS Vector Impacts
| Metric | Transition | Rationale |
|---|---|---|
| Attack Vector (AV) | N → A | Service only reachable from adjacent/authorized networks |
| Scope (S) | C → U | Firewall prevents lateral movement to other services |
CWE Relationships
Verification
Verify firewalld is running with restrictive zone
$ firewall-cmd --state
# Expected: running
# Expected: running
Platform: rhel
$ firewall-cmd --get-active-zones
# Expected: public
# Expected: public
Platform: rhel
$ nft list ruleset | head -20
# Expected: table
# Expected: table
Platform: linux