Vulnerability Discussion
Enabling reverse path filtering drops packets with invalid source addresses received on the interface. It should not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
Check
Verify the system uses a reverse-path filter for IPv4:
# grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null
net.ipv4.conf.all.rp_filter = 1
If "net.ipv4.conf.all.rp_filter" is not configured in the /etc/sysctl.conf file or in any of the other sysctl.d directories, is commented out, or does not have a value of "1", this is a finding.
Check that the operating system implements the accept source route variable with the following command:
# /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter
net.ipv4.conf.all.rp_filter = 1
If the returned line does not have a value of "1", this is a finding.
If conflicting results are returned, this is a finding.
Fix
Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
net.ipv4.conf.all.rp_filter = 1
Issue the following command to make the changes take effect:
# sysctl --system