Details

Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router.

Solution

Set the following parameter in the /etc/sysctl.conf file:
net.ipv4.ip_forward = 0

Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.ip_forward=0
# sysctl -w net.ipv4.route.flush=1

Supportive Information

The following resource is also helpful.

• https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623.html

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.

References

• 800-53|SC-7(12)
• CSCv6|3
• CSCv6|11

Source

• Tenable.com/audits