SB.11.006 Firewall Rule Management
The network firewall is set up to protect hosts on the network against networkflows that are potentially insecure. The firewall is one part of a layered defense.
The firewall rules are set to deny all traffic that is not explicitly allowed by default. Rules that allow traffic necessary for functionality follow the architectural design.
All firewall rules are documented with a textual explanation of their purpose and a revision date. Firewall rules are revised on or before their revision dates.
Access to the firewall itself should be appropriately protected, has a safe configuration by default: filtering all traffic and not exposing administrative interfaces.
Firewalls log denied and allowed traffic for the purpose of investigating network problems or security incidents.
Firewall rules are consistent and syncrhonised for IPv4 and IPv6.
Firewalling is stateful by default: traffic that is in response to or clearly to an already allowed connection is allowed.
IP source routing information is not allowed.
Traffic with the Firewall as destination must be blocked for traffic other than intended administrative tasks.
Traffic with invalid source or destination addresses should must be dropped.
Firewall rules are kept synchronised for IPv4 and IPv6
Broadcast destination addresses aren't forwarded
Firewall performance should be sized according to SLA goals
Follow best practices in https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf “NIST Guidelines on Firewalls and Firewall Policy”