Detections
Analytics

3.3.2.1 Ensure net.ipv6.conf.all.forwarding is configured

Information

The net.ipv6.conf.all.forwarding flag tells the system whether it can forward IPv6 packets or not.

More information about the kernel parameter configuration files, their location, and load preference is available in the "Configure Network Kernel Parameters" section overview.

Note: If IPv6 has been disabled, or this system is a router, this recommendation is not applicable.

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.

Setting net.ipv6.conf.all.forwarding to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will not be able to forward IPv6 packets.

Solution

- Run the following command to comment out net.ipv6.conf.all.forwarding lines returned by the audit procedure that are not net.ipv6.conf.all.forwarding = 0 :

# sed -ri '^\s*net.ipv6.conf.all.forwarding\s*=\s*1/s/^/#/g' "path/to/file/in/audit/filename"

Example:

# sed -ri '/^\s*net.ipv6.conf.all.forwarding\s*=\s*1/s/^/#/g' /etc/sysctl.d/99-sysctl.conf
 - Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or add the following line:

net.ipv6.conf.all.forwarding = 0

Example:

# [ ! -d "/etc/sysctl.d/" ] && mkdir -p /etc/sysctl.d/
# printf '%s\n' "" "net.ipv6.conf.all.forwarding = 0" >> /etc/sysctl.d/60-ipv6_sysctl.conf
 - Run the following command to load all sysctl configuration files:

# sysctl --system

Impact:

IP forwarding is required on systems configured to act as a router. If these parameters are disabled, the system will not be able to perform as a router.

Many Cloud Service Provider (CSP) hosted systems require IP forwarding to be enabled. If the system is running on a CSP platform, this requirement should be reviewed before disabling IP forwarding.

See Also

https://workbench.cisecurity.org/benchmarks/25279

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CSCv7|9.2, Rule-ID|SV-230540r1017302_rule, Rule-ID|SV-235025r991589_rule, Rule-ID|SV-248883r991589_rule, Rule-ID|SV-257974r991589_rule, Rule-ID|SV-269249r1050131_rule, Rule-ID|SV-271880r1092352_rule

Plugin: Unix

Control ID: 4ce125931e6094e2db6ef341f4f0cfae3c26fc6e96233cc84374df016dceb650