3.2.7 Ensure Reverse Path Filtering is enabled - 'net.ipv4.conf.all.rp_filter = 1 sysctl'

Information

Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if
asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing.

Solution

Set the following parameters in the /etc/sysctl.conf file - net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1 Run the following commands to set the active kernel parameters - # sysctl -w net.ipv4.conf.all.rp_filter=1
# sysctl -w net.ipv4.conf.default.rp_filter=1
# sysctl -w net.ipv4.route.flush=1

See Also

https://workbench.cisecurity.org/files/1863

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv6|9.2

Plugin: Unix

Control ID: f27dd95475d75bb3583019c4778702657613673f42e60f8b8e55d92d5b1a109f