{"description": "To set the runtime status of the <code>net.ipv4.conf.all.forwarding</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.forwarding=0</pre>\nTo make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.conf.all.forwarding = 0</pre>", "rationale": "IP forwarding permits the kernel to forward packets from one network\ninterface to another. The ability to forward packets between two networks is\nonly appropriate for systems acting as routers.", "severity": "medium", "references": {"nist": ["CM-6(b)"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "IP forwarding value is \"1\" and the system is not router", "ocil": "The runtime status of the <code>net.ipv4.conf.all.forwarding</code> kernel parameter can be queried\nby running the following command:\n<pre>$ sysctl net.ipv4.conf.all.forwarding</pre>\n<code>0</code>.\nThe ability to forward packets is only appropriate for routers.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to not allow packet forwarding unless the system is a router with the following commands:\nAdd or edit the following line in a system configuration file in the \"/etc/sysctl.d/\" directory:\nnet.ipv4.conf.all.forwarding = 0\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must not perform packet forwarding unless the system is a router.", "warnings": [{"general": "There might be cases when certain applications can systematically override this option.\nOne such case is <a xmlns='http://www.w3.org/1999/xhtml' href='https://libvirt.org/'>Libvirt</a>; a toolkit for managing of virtualization platforms.\nBy default, Libvirt requires IP forwarding to be enabled to facilitate\nnetwork communication between the virtualization host and guest\nmachines. It enables IP forwarding after every reboot."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must not enable IPv4 packet forwarding unless the system is a router.", "fixtext": "Configure Ubuntu 22.04 to not allow IPv4 packet forwarding, unless the system is a router.\n\nAdd or edit the following line in a single system configuration file, in the \"/etc/sysctl.d/\" directory:\n\nnet.ipv4.conf.all.forwarding = 0\n\nLoad settings from all system configuration files with the following command:\n\n$ sudo sysctl --system", "checktext": "Verify Ubuntu 22.04 is not performing IPv4 packet forwarding unless the system is a router.\n\nCheck that IPv4 forwarding is disabled using the following command:\n\n$ sudo sysctl net.ipv4.conf.all.forwarding\n\nnet.ipv4.conf.all.forwarding = 0\n\nIf the IPv4 forwarding value is not \"0\" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.\n\nCheck that the configuration files are present to enable this network parameter.\n\n$ /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|$)' | grep -F net.ipv4.conf.all.forwarding | tail -1\n\nnet.ipv4.conf.all.forwarding = 0\n\nIf \"net.ipv4.conf.all.forwarding\" is not set to \"0\" and is not documented with the ISSO as an operational requirement or is missing, this is a finding.", "vuldiscussion": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network."}}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {"check-import": "stdout", "check-export": ["sysctl_net_ipv4_conf_all_forwarding_value=xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_forwarding_value"], "platform": ["multi_platform_all"], "environment": "any", "filename": "sysctl_net_ipv4_conf_all_forwarding.sh", "relative_path": "ubuntu2204/checks/sce/sysctl_net_ipv4_conf_all_forwarding.sh"}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml", "template": {"name": "sysctl", "vars": {"sysctlvar": "net.ipv4.conf.all.forwarding", "datatype": "int"}, "backends": {}}}