3.2.7 Ensure Reverse Path Filtering is enabled - /etc/sysctl.conf /etc/sysctl.d/* net.ipv4.conf.default.rp_filter = 1

Information

Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set).

Rationale:

Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing.

Solution

Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file:

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

Run the following commands to set the active kernel parameters:

# sysctl -w net.ipv4.conf.all.rp_filter=1

# sysctl -w net.ipv4.conf.default.rp_filter=1

# sysctl -w net.ipv4.route.flush=1

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-92251

Rule ID: SV-102353r1_rule

STIG ID: RHEL-07-040611

Severity: CAT II



Vul ID: V-92253

Rule ID: SV-102355r1_rule

STIG ID: RHEL-07-040612

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.1

Plugin: Unix

Control ID: 37489d6c3965f34260593a66f64261483a96a8def9858d99e58ab8650642240d