How to check for: Operating system not forwarding packets

Linux machines have the ability to act either as a router or not.  There’s only a subtle difference between the two that shows up when a packet arrives and that packet is not addressed to this system’s IP address.  A router will try to push that packet back out towards the final destination system; a non-router will simply drop the packet.

(This is another entry in our series of examples on how to use the new string presence check in Halo.  For an introduction to this new feature, please see our previous Introduction to Search Expressions post.)

Since most cloud servers don’t need to do routing, it makes sense to check with the kernel and make sure that routing is disabled.  Since the /proc/ virtual file that handles that can only have two values, 0 (don’t forward packets) or 1 (act as a router and forward packets), the check is straightforward – simply create this check in a Halo Configuration Policy and apply it to your server group:

/proc/sys/net/ipv4/ip_forward Contains ^0$

Stay up to date

Get the latest news and tips on protecting critical business assets.

Related Posts