Setting Default firewalld Zone for Incoming Packets?

Any thought of setting my default firewalld zone for incoming packets to DefaultZone=drop ?

We really need more info on your concerns.

The default config for fedora firewalld drops all that is not already deemed permissable so maybe you can enlighten us as to what you really feel is an issue.

firewall-cmd --list-all displays the current config so that would be a good starting point.

A good reference is Using firewalld :: Fedora Docs

Well this was my logic: In firewalld the default zone is applied only after all the applicable rules in the table are examined for a match. Setting the default zone to drop implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.
So it seemed as the way to go.

Exactly. Default means "when all else has been checked and failed then apply the default’

I think if you check the individual rule chains they all lead to drop as the final if the packet fails all the preceding checks.

OK , it’s just that I got a warning using SCAP Workbench to set the default firewalld zone for incoming packets.

There is a gui for managing the firewalld. In a terminal it can be launched with sudo firewall-config.

I am aware of that but I am wondering why did that warning show up in the first place ?

Warning only
Telling the admin to be careful that they don’t open the system to unwanted access.

That is definitely a risk because of what openscap is and does. The firewall has to be changed to allow scap to work and could open the system to external access.

1 Like

OK thank you then I will stick to Lynis from now on.