3.3.7 Ensure reverse path filtering is enabled

Information

Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set).

Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing.

Solution

Set the following parameters in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending inconf :

- net.ipv4.conf.all.rp_filter = 1
- net.ipv4.conf.default.rp_filter = 1

Example:

# printf '%s
' "net.ipv4.conf.all.rp_filter = 1" "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.d/60-netipv4_sysctl.conf

Run the following script to set the active kernel parameters:

#!/usr/bin/env bash

{
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.default.rp_filter=1
sysctl -w net.ipv4.route.flush=1
}

Note: If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten

Impact:

If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing.

See Also

https://workbench.cisecurity.org/benchmarks/17074

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: eda8e3746d2dc324dd59d51111ba7275ae4ca22122528a29b75579876550d9a7