As a security best practice, verify that the host system denies IPv6 forwarding. If the system is configured for IP forwarding and is not a designated router, it can be used to bypass network security by providing a path for communication that is not filtered by network devices.
Procedure
- Run the # grep [01] /proc/sys/net/ipv6/conf/*/forwarding|egrep "default|all" command to verify whether the host denies IPv6 forwarding.
- Configure the host system to deny IPv6 forwarding.
- Open the /etc/sysctl.conf to configure the host system.
- If the values are not set to
0
, add the following entries to the file or update the existing entries accordingly. Set the value to0
.net.ipv6.conf.all.forwarding=0 net.ipv6.conf.default.forwarding=0
- Save the changes and close the file.
- Run
# sysctl -p
to apply the configuration.