As a security best practice, verify that your VMware virtual appliance host machines use IPv4 reverse path filtering.

About this task

Reverse-path filtering protects against spoofed source addresses by causing the system to discard packets with source addresses that have no route or a route that does not point towards the originating interface. Configure your host machines to use reverse-path filtering whenever possible. In some cases, depending on the system role, reverse-path filtering can cause the system to discard legitimate traffic. If you encounter such problems, you might need to use a more permissive mode or disable reverse-path filtering altogether.

Procedure

  1. Run the # grep [01] /proc/sys/net/ipv4/conf/*/rp_filter|egrep "default|all" command on the VMware virtual appliance host machines to verify that they use IPv4 reverse path filtering.

    If the virtual machines use IPv4 reverse path filtering, this command returns the following:

    /proc/sys/net/ipv4/conf/all/rp_filter:1
    /proc/sys/net/ipv4/conf/default/re_filter:1

    If your virtual machines are configured correctly, no further action is required.

  2. If you need to configure IPv4 reverse path filtering on host machines, open the /etc/sysctl.conf file in a text editor.
  3. Check the values of the lines that begin with net.ipv4.conf.

    If the values for the following entries are not set to 1 or if they do not exist, add them to the file or update the existing entries accordingly.

    net.ipv4.conf.all.rp_filter=1
    net.ipv4.conf.default.rp_filter=1
  4. Save the changes and close the file.