UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22491 GEN005610 SV-37930r2_rule ECSC-1 Medium
Description
If the system is configured for IP forwarding and is not a designated router, it could be used to bypass network security by providing a path for communication not filtered by network devices.
STIG Date
Red Hat Enterprise Linux 5 Security Technical Implementation Guide 2014-01-09

Details

Check Text ( C-37186r3_chk )
Check if the system is configured for IPv6 forwarding.

# grep [01] /proc/sys/net/ipv6/conf/*/forwarding|egrep "default|all"

If the /proc/sys/net/ipv6/conf/*/forwarding entries do not exist because of compliance with GEN007720, this is not a finding.

If all of the resulting lines do not end with 0, this is a finding.

Fix Text (F-32423r1_fix)
Disable IPv6 forwarding.

Edit /etc/sysctl.conf and add a setting for "net.ipv6.conf.all.forwarding=0" and "net.ipv6.conf.default.forwarding=0".

Reload the sysctls.
Procedure:
# sysctl -p