Ensure host based firewall loopback traffic is configured to the trusted zone

[bbaassssiiee]

Describe the Issue Configure firewalld to restrict loopback traffic to the lo interface. The loopback traffic must be trusted by assigning the lo interface to the firewalld trusted zone. However, the loopback traffic must be restricted to the loopback interface as an anti-spoofing measure.

Expected Behavior

sudo firewall-cmd --permanent --zone=trusted --add-interface=lo
sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
sudo firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'

Actual Behavior

sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'

Control(s) Affected 3.4.2.2 Environment (please complete the following information):

• branch being used: [e.g. devel]
• Ansible Version: [e.g. 2.10]
• Host Python Version: [e.g. Python 3.7.6]
• Ansible Server Python Version: [e.g. Python 3.7.6]
• Additional Details:

Additional Notes Anything additional goes here

Possible Solution Add the rich_rule to the trusted zone

[bbaassssiiee]

 <interface name="lo"/>

The above is still missing... Should immediate: true be set?

/etc/firewalld/zones/trusted.xml now has:

<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
  <short>Trusted</short>
  <description>All network connections are accepted.</description>
  <rule family="ipv4">
    <source address="127.0.0.1"/>
    <destination address="127.0.0.1" invert="True"/>
    <drop/>
  </rule>
  <rule family="ipv6">
    <source address="::1"/>
    <destination address="::1" invert="True"/>
    <drop/>
  </rule>
</zone>

[bbaassssiiee]

Looks good now