Title

The system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router. (Cat II impact)

Discussion

If the system is configured for IP forwarding and is not a designated router, it could be used to bypass network security by providing a path for communication not filtered by network devices.

Check Content

Check if the system is configured for IPv6 forwarding. # ndd -get /dev/ip6 ip6_forwarding If ip6_forwarding is set to 1, this is a finding.

Fix Text

Disable IPv6 forwarding: # ndd -set /dev/ip6 ip6_forwarding 0 Edit /etc/rc.config.d/nddconf: TRANSPORT_NAME[index]=ip6 NDD_NAME[index]=ip6_forwarding NDD_VALUE[index]=0 Where: index is the next available integer value of the nddconf file. n is a number: either 1 to turn the feature ON or 0 to turn it OFF.

Additional Identifiers

Rule ID: SV-26811r1_rule

Vulnerability ID: V-22491

Group Title: GEN005610

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.