← Back to Red Hat Enterprise Linux 10 Security Technical Implementation Guide

V-281348

CAT II (Medium)

RHEL 10 must use a reverse-path filter for Internet Protocol version 4 (IPv4) network traffic when possible by default.

Rule ID

SV-281348r1167194_rule

STIG

Red Hat Enterprise Linux 10 Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002385 CCI-001103

Discussion

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks. Satisfies: SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00079

Check Content

Verify RHEL 10 uses reverse path filtering on IPv4 interfaces.

Check the value of the "net.ipv4.conf.default.rp_filter" with the following command:

$ sudo sysctl net.ipv4.conf.default.rp_filter
net.ipv4.conf.default.rp_filter = 1

If the returned line does not have a value of "1", or a line is not returned, this is a finding.

Fix Text

Configure RHEL 10 to use reverse path filtering on IPv4 interfaces by default.

Create a configuration file if it does not already exist:

$ sudo vi /etc/sysctl.d/ipv4_rp_filter.conf

Add the following line to the file:

net.ipv4.conf.default.rp_filter = 1

Reload settings from all system configuration files with the following command:

$ sudo sysctl --system