← Back to SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

V-22491

CAT II (Medium)

The system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router.

Rule ID

SV-46115r2_rule

STIG

SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

Version

V1R12

CCIs

CCI-000366

Discussion

If the system is configured for IP forwarding and is not a designated router, it could be used to bypass network security by providing a path for communication not filtered by network devices.

Check Content

Check if the system is configured for IPv6 forwarding.

# grep [01] /proc/sys/net/ipv6/conf/*/forwarding|egrep "default|all"

If the /proc/sys/net/ipv6/conf/*/forwarding entries do not exist because of compliance with GEN007720, this is not a finding.

If all of the resulting lines do not end with 0, this is a finding.

Fix Text

Disable IPv6 forwarding.

Edit /etc/sysctl.conf and add a setting for "net.ipv6.conf.all.forwarding=0" and "net.ipv6.conf.default.forwarding=0".

Reload the sysctls.
Procedure:
# sysctl -p