STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

V-23972

CAT II (Medium)

The system must not respond to ICMPv6 echo requests sent to a broadcast address.

Rule ID

SV-45993r1_rule

STIG

SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

Version

V1R12

CCIs

CCI-000366

Discussion

Responding to broadcast ICMP echo requests facilitates network mapping and provides a vector for amplification attacks.

Check Content

Check for an ip6tables rule that drops inbound IPv6 ICMP ECHO_REQUESTs sent to the all-hosts multicast address.

Procedure:
# less /etc/sysconfig/scripts/SuSEfirewall2-custom

Check for a rule in, or referenced by, the INPUT chain such as:
ip6tables -A INPUT -p icmpv6 -d ff02::1 --icmpv6-type 128 -j DROP

If such a rule does not exist, this is a finding.

Fix Text

Add an ip6tables rule that drops inbound IPv6 ICMP ECHO_REQUESTs sent to the all-hosts multicast address.

Edit /etc/sysconfig/scripts/SuSEfirewall2-custom and add a rule in, or referenced by, the INPUT chain such as:
ip6tables -A INPUT -p icmpv6 -d ff02::1 --icmpv6-type 128 -j DROP

Reload the SuSEfirewall2 rules.
Procedure:
# rcSuSEfirewall2 restart