Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-22491 | GEN005610 | SV-37930r2_rule | ECSC-1 | Medium |
Description |
---|
If the system is configured for IP forwarding and is not a designated router, it could be used to bypass network security by providing a path for communication not filtered by network devices. |
STIG | Date |
---|---|
Red Hat Enterprise Linux 5 Security Technical Implementation Guide | 2014-04-02 |
Check Text ( C-37186r3_chk ) |
---|
Check if the system is configured for IPv6 forwarding. # grep [01] /proc/sys/net/ipv6/conf/*/forwarding|egrep "default|all" If the /proc/sys/net/ipv6/conf/*/forwarding entries do not exist because of compliance with GEN007720, this is not a finding. If all of the resulting lines do not end with 0, this is a finding. |
Fix Text (F-32423r1_fix) |
---|
Disable IPv6 forwarding. Edit /etc/sysctl.conf and add a setting for "net.ipv6.conf.all.forwarding=0" and "net.ipv6.conf.default.forwarding=0". Reload the sysctls. Procedure: # sysctl -p |