|
- # 3.2.7 Ensure Reverse Path Filtering is enabled
- #
- # Description
- # ===========
- # Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1
- # forces the Linux kernel to utilize reverse path filtering on a received
- # packet to determine if the packet was valid. Essentially, with reverse path
- # filtering, if the return packet does not go out the same interface that the
- # corresponding source packet came from, the packet is dropped (and logged if
- # log_martians is set).
- #
- # Rationale
- # =========
- # Setting these flags is a good way to deter attackers from sending your system
- # bogus packets that cannot be responded to. One instance where this feature
- # breaks down is if asymmetrical routing is employed. This would occur when
- # using dynamic routing protocols (bgp, ospf, etc) on your system. If you are
- # using asymmetrical routing on your system, you will not be able to enable
- # this feature without breaking the routing.
- #
- # Audit
- # =====
- #
- # Run the following commands and verify output matches:
- #
- # # sysctl net.ipv4.conf.all.rp_filter
- # net.ipv4.conf.all.rp_filter = 1
- # # sysctl net.ipv4.conf.default.rp_filter
- # net.ipv4.conf.default.rp_filter = 1
- #
- # Remediation
- # ===========
- #
- # Set the following parameters in the /etc/sysctl.conf file:
- #
- # net.ipv4.conf.all.rp_filter = 1
- # net.ipv4.conf.default.rp_filter = 1
- #
- # Run the following commands to set the active kernel parameters:
- #
- # # sysctl -w net.ipv4.conf.all.rp_filter=1
- # # sysctl -w net.ipv4.conf.default.rp_filter=1
- # # sysctl -w net.ipv4.route.flush=1
-
- parameters:
- linux:
- system:
- kernel:
- sysctl:
- net.ipv4.conf.all.rp_filter: 1
- net.ipv4.conf.default.rp_filter: 1
|
