Centos – Filter incoming traffic to UDP port for pci compliance

centospci-dssudp

It had been recommended for PCI compliance that I filter incoming traffic to UDP port 5353 please can someone advise what are the steps to do this?

I am currently using Centos 5.7 64 bit.

Best Answer

How to do what you asked:
With CentOS your firewall is controlled by IPTables / netfilter. Although you could add a rule to block UDP port 5353 traffic with (and traditional state rules):

iptables -A INPUT -p udp -m udp --dport 5353 -m state --state NEW -j DROP

Why you shouldn't do what you asked:
However, I believe that PCI compliance requires that your firewalls have default deny policies, meaning you should be dropping all traffic that you do not allow by specific rules and therefore should not need a specific rule like the one above. You would do this in IPTables by having DROP be the default rule or by adding a DROP rule at the bottom of your firewall. Also, this filtering should probably be happening already on a firewall not a server. If CentOS is your firewall this rules will be on the FORWARD chains, not the INPUT chains.

You probably want outside help:
Judging by level of your question, and complexity of implementing full PCI compliance, I sense you are a bit over your head here. That doesn't make you a bad person or bad at your job. However, just like you are asking for help for specifics here (a great thing to do, props as well for not leaving out that this is for PCI compliance) I recommend you get more help from a consultant on PCI implementation as project on the whole. If after thinking about this for a while you feel this is true, you are actually doing your job as best as you can by admitting that seeking outside help is best for the company.

Best Answer

Related Solutions

Security – Our security auditor is an idiot. How to give him the information he wants

CentOS – Conducting a PCI Compliance Assessment on CentOS

Related Topic