Title

IP forwarding for IPv4 must not be enabled, unless the system is a router. (Cat II impact)

Discussion

If the system is configured for IP forwarding and is not a designated router, it could be used to bypass network security by providing a path for communication not filtered by network devices.

Check Content

The configuration file entries will appear as follows: TRANSPORT_NAME[x]=ip NDD_NAME[x]=ip_forwarding NDD_VALUE[x]=0 NOTE: The setting for the "ip_forwarding" interface will be initialized on a separate line referencing a specific NDD index. # cat /etc/rc.config.d/nddconf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | \ grep -i ip_forwarding | cut -f 1,1 -d "=" | tr -d [:alpha:] | tr -d [:punct:] If the above command returns nothing, this check is not a finding. If the above command does return an index value: # cat /etc/rc.config.d/nddconf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v '^#' | \ grep "[the ip_forwarding INDEX number from the above command]" NOTE: The above command must (literally) contain the ASCII punctuation characters [ and ] exactly as depicted above. If the return value is not set to 0, ask the SA if the machine is a designated router. If it is not a designated router, this is a finding. If it is a designated router, this is not a finding.

Fix Text

Edit /etc/rc.config.d/nddconf and set the ip_forwarding option to 0.

Additional Identifiers

Rule ID: SV-35177r1_rule

Vulnerability ID: V-12023

Group Title: GEN005600

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.