3.3.13 nonlocsrcroute

Information

The nonlocsrcroute parameter determines whether the system allows source routed packets to be addressed to hosts outside of the LAN.

Rationale:

The nonlocsrcroute parameter will be set to 0. This means that the system will not allow source routed packets to be addressed to hosts outside of the LAN. By default, when this is enabled the system is susceptible to source routing attacks.

Solution

In /etc/tunables/nextboot, add the nonlocsrcroute entry:

no -p -o nonlocsrcroute=0

This makes the change permanent by adding the entry into /etc/tunables/nextboot

Default Value:

1

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12)

Plugin: Unix

Control ID: 765780250f5f3856c12ed592be7775d199575b9766c83597194bc472442c62eb