As a security best practice, verify that your VMware appliance host systems deny IPv6 forwarding.

About this task

If the system is configured for IP forwarding and is not a designated router, attackers could use it to bypass network security by providing a path for communication not filtered by network devices. Configure your virtual appliance host machines to deny IPv6 forwarding to avoid this risk.

Procedure

  1. Run the # grep [01] /proc/sys/net/ipv6/conf/*/forwarding|egrep "default|all" command on the VMware appliance host machines to verify that they deny IPv6 forwarding.

    If the host machines are configured to deny IPv6 forwarding, this command will return the following:

    /proc/sys/net/ipv6/conf/all/forwarding:0
    /proc/sys/net/ipv6/conf/default/forwarding:0

    If the host machines are configured correctly, no further action is necessary.

  2. If you need to configure a host machine to deny IPv6 forwarding, open the /etc/sysctl.conf file in a text editor.
  3. Check the values of the lines that begin with net.ipv6.conf.

    If the values for the following entries are not set to zero or if the entries do not exist, add the entries or update the existing entries accordingly.

    				net.ipv6.conf.all.accept_redirects=0
    net.ipv6.conf.default.accept_redirects=0
  4. Save any changes you made and close the file.