As a security best practice, verify that the host system denies IPv6 forwarding. If the system is configured for IP forwarding and is not a designated router, it can be used to bypass network security by providing a path for communication that is not filtered by network devices.

Procedure

  1. Run the # grep [01] /proc/sys/net/ipv6/conf/*/forwarding|egrep "default|all" command to verify whether the host denies IPv6 forwarding.
  2. Configure the host system to deny IPv6 forwarding.
    1. Open the /etc/sysctl.conf to configure the host system.
    2. If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. 
      net.ipv6.conf.all.forwarding=0 
net.ipv6.conf.default.forwarding=0
    3. Save the changes and close the file.
    4. Run # sysctl -p to apply the configuration.