6.6

Table Of Contents
2 Congure the host system to deny IPv4 forwarding.
a Open the /etc/sysctl.conf to congure the host system.
b If the value is not set to 0, add the following entry to the le or update the existing entry
accordingly. Set the value to 0.
net.ipv4.ip_forward=0
c Save the changes and close the le.
Configure the Host System to Deny Forwarding of IPv4 Source Routed Packets
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a
dierent path than what is congured on the router, which can be used to bypass network security
measures.
This requirement applies only to the forwarding of source-routed trac, such as when IPv4 forwarding is
enabled and the system is functioning as a router.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv4/conf/*/accept_source_route|egrep "default|all"
command to verify whether the system does not use IPv4 source routed packets
2 Congure the host system to deny forwarding of IPv4 source routed packets.
a Open the /etc/sysctl.conf le with a text editor.
b If the values are not set to 0, ensure that net.ipv4.conf.all.accept_source_route=0 and the
et.ipv4.conf.default.accept_source_route=0 are set to 0.
c Save and close the le.
Configure the Host System to Deny IPv6 Forwarding
As a security best practice, verify that the host system denies IPv6 forwarding. If the system is congured
for IP forwarding and is not a designated router, it can be used to bypass network security by providing a
path for communication that is not ltered by network devices.
Procedure
1 Run the # grep [01] /proc/sys/net/ipv6/conf/*/forwarding|egrep "default|all" command to verify
whether the host denies IPv6 forwarding.
2 Congure the host system to deny IPv6 forwarding.
a Open the /etc/sysctl.conf to congure the host system.
b If the values are not set to 0, add the following entries to the le or update the existing entries
accordingly. Set the value to 0.
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.default.forwarding=0
c Save the changes and close the le.
Chapter 4 Network Security and Secure Communication
VMware, Inc. 43