3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
Profile Applicability
Level 1 - Server Level 1 - Workstation
Description
Setting net.ipv4.conf.all.rp_filter
and net.ipv4.conf.default.rp_filter
to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians
is set).
Rationale
Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing.
Audit
Run the following command and verify output matches:
# sysctl net.ipv4.conf.all.rp_filter net.ipv4.conf.all.rp_filter = 1 # sysctl net.ipv4.conf.default.rp_filter net.ipv4.conf.default.rp_filter = 1
Remediation
Set the following parameter in the /etc/sysctl.conf
file:
net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1