Detections
Analytics

3.3.1.12 Ensure net.ipv4.conf.all.rp_filter is configured

Information

net.ipv4.conf.all.rp_filter controls reverse path filtering for IPv4 traffic on all network interfaces.

Reverse path filtering is a security mechanism in Linux that helps prevent IP spoofing and other network attacks. When enabled, it checks if the source IP address of an incoming packet is reachable through the same network interface it was received on. If the packet's source address is not reachable through the interface it arrived on, the packet is dropped.

Note: If this system is a router, and uses asymmetrical routing, this recommendation is not applicable.

Setting net.ipv4.conf.all.rp_filter to 1 is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing.

Solution

- Review all files being used by systemd sysctl and comment out or remove all net.ipv4.conf.all.rp_filter lines that are not net.ipv4.conf.all.rp_filter=1.

Example script:

#!/usr/bin/env bash

{
 l_option="net.ipv4.conf.all.rp_filter" l_value="1"
 l_grep="${l_option//./(\\.|\\/)}" a_files=()
 l_systemdsysctl="$(readlink -e /lib/systemd/systemd-sysctl \
 || readlink -e /usr/lib/systemd/systemd-sysctl)"
 l_ufw_file="$([ -f /etc/default/ufw ] && \
 awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
 [ -f "$(readlink -e "$l_ufw_file")" ] && \
 a_files+=("$l_ufw_file"); a_files+=("/etc/sysctl.conf")
 while IFS= read -r l_fname; do
 l_file="$(readlink -e "${l_fname//# /}")"
 [ -n "$l_file" ] && ! grep -Psiq -- '(^|\h+)'"$l_file"'\b' \
 <<< "${a_files[*]}" && a_files+=("$l_file")
 done < <("$l_systemdsysctl" --cat-config | tac | \
 grep -Pio -- '^\h*#\h*\/[^#\n\r\h]+\.conf\b')
 for l_file in "${a_files[@]}"; do
 grep -Poi -- '\h*'"$l_grep"'\h*=\h*\H+\b' "$l_file" \
 | grep -Pivq -- '^\h*'"$l_grep"'\h*=\h*'"$l_value"'\b' && \
 sed -ri '/^\s*'"$l_grep"'\s*=\s*(0|[2-9]|1[0-9]+)/s/^/# /' "$l_file"
 done
}
 - Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or add the following line:

net.ipv4.conf.all.rp_filter = 1

Example:

# [ ! -d "/etc/sysctl.d/" ] && mkdir -p /etc/sysctl.d/
# printf '%s\n' "" "net.ipv4.conf.all.rp_filter = 1" \
>> /etc/sysctl.d/60-ipv4_sysctl.conf

Note: If the UFW file was the first file listed in the audit, the entry will be commented out as part of the first step, however updating Uncomplicated Firewall (UFW) may update this change. In this case the updated entry will supersede the entry being created as part of this step.

 - Run the following command to load all sysctl configuration filles:

# sysctl --system

Impact:

If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing.

See Also

https://workbench.cisecurity.org/benchmarks/24008

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CSCv7|9.2

Plugin: Unix

Control ID: fcceeda030e206ef148c06d0b1e8291ec399da794c91c84958fa3ced8ac6b051