RHEL 10 must not enable Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.

STIG ID: RHEL-10-800250  |  SRG: SRG-OS-000420-GPOS-00186 |  Severity: medium (CAT II)  |  CCI: CCI-002385,CCI-001112 |  Vulnerability Id: V-281357

Vulnerability Discussion

IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.

Satisfies: SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00088

Check

Note: If IPv6 is disabled on the system, this requirement is not applicable.

Verify RHEL 10 is not performing IPv6 packet forwarding unless the system is a router.

Check the value of the "net.ipv6.conf.all.forwarding" variable with the following command:

$ sudo sysctl net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 0

If "net.ipv6.conf.all.forwarding" is not set to "0" or is missing, this is a finding.

Fix

Configure RHEL 10 to not allow IPv6 packet forwarding unless the system is a router.

Create a configuration file if it does not already exist:

$ sudo vi /etc/sysctl.d/ipv6_forwarding.conf

Add the following line to the file:

net.ipv6.conf.all.forwarding = 0

Reload settings from all system configuration files with the following command:

$ sudo sysctl --system
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.