Profile Applicability:
 • Level 1

Description:
Reverse path filtering helps prevent IP spoofing by verifying that incoming packets are received on the interface that would be used to send packets back to the source. Enabling this feature helps protect against spoofed traffic and certain types of network attacks.

Rationale:
 Enabling reverse path filtering improves network security by ensuring that packets have valid source addresses and mitigating IP spoofing risks.

Impact:
 Pros:

  • Protects against IP spoofing and certain network attacks.

  • Enhances the integrity of network traffic.

Cons:

  • May cause legitimate asymmetric routing traffic to be dropped in complex network environments.

Default Value:
 Reverse path filtering is often disabled or set to loose mode by default.

Pre-requisites:

  • Root or sudo privileges to modify network settings.

Remediation:

Test Plan:

Using Linux command line:

1. Check current reverse path filtering settings:

sysctl net.ipv4.conf.all.rp_filter  
sysctl net.ipv4.conf.default.rp_filter

2. Confirm values are set to 1 (strict) or 2 (loose).

Implementation Plan:

Using Linux command line:

1. Enable reverse path filtering temporarily:

sysctl -w net.ipv4.conf.all.rp_filter=1  
sysctl -w net.ipv4.conf.default.rp_filter=1

2. Persist the settings by adding to /etc/sysctl.conf or a file in /etc/sysctl.d/:

net.ipv4.conf.all.rp_filter = 1  
net.ipv4.conf.default.rp_filter = 1

Backout Plan:

Using Linux command line:

1. Disable or adjust reverse path filtering if necessary:

sysctl -w net.ipv4.conf.all.rp_filter=0  
sysctl -w net.ipv4.conf.default.rp_filter=0

2. Update configuration files accordingly and reload sysctl.

References: