| # 3.2.7 Ensure Reverse Path Filtering is enabled |
| # |
| # Description |
| # =========== |
| # Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 |
| # forces the Linux kernel to utilize reverse path filtering on a received |
| # packet to determine if the packet was valid. Essentially, with reverse path |
| # filtering, if the return packet does not go out the same interface that the |
| # corresponding source packet came from, the packet is dropped (and logged if |
| # log_martians is set). |
| # |
| # Rationale |
| # ========= |
| # Setting these flags is a good way to deter attackers from sending your system |
| # bogus packets that cannot be responded to. One instance where this feature |
| # breaks down is if asymmetrical routing is employed. This would occur when |
| # using dynamic routing protocols (bgp, ospf, etc) on your system. If you are |
| # using asymmetrical routing on your system, you will not be able to enable |
| # this feature without breaking the routing. |
| # |
| # Audit |
| # ===== |
| # |
| # Run the following commands and verify output matches: |
| # |
| # # sysctl net.ipv4.conf.all.rp_filter |
| # net.ipv4.conf.all.rp_filter = 1 |
| # # sysctl net.ipv4.conf.default.rp_filter |
| # net.ipv4.conf.default.rp_filter = 1 |
| # |
| # Remediation |
| # =========== |
| # |
| # Set the following parameters in the /etc/sysctl.conf file: |
| # |
| # net.ipv4.conf.all.rp_filter = 1 |
| # net.ipv4.conf.default.rp_filter = 1 |
| # |
| # Run the following commands to set the active kernel parameters: |
| # |
| # # sysctl -w net.ipv4.conf.all.rp_filter=1 |
| # # sysctl -w net.ipv4.conf.default.rp_filter=1 |
| # # sysctl -w net.ipv4.route.flush=1 |
| |
| parameters: |
| linux: |
| system: |
| kernel: |
| sysctl: |
| net.ipv4.conf.all.rp_filter: 1 |
| net.ipv4.conf.default.rp_filter: 1 |