The system must set strict multihoming.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-216375 | SRG-OS-000480 | SOL-11.1-050080 | SV-216375r959010_rule | 2024-11-25 | 3 |
| Description |
|---|
| These settings control whether a packet arriving on a non-forwarding interface can be accepted for an IP address that is not explicitly configured on that interface. This rule is NA for documented systems that have interfaces that cross strict networking domains (for example, a firewall, a router, or a VPN node). |
| ℹ️ Check |
|---|
| Determine if strict multihoming is configured. # ipadm show-prop -p _strict_dst_multihoming -co current ipv4 # ipadm show-prop -p _strict_dst_multihoming -co current ipv6 If the output of all commands is not "1", this is a finding. |
| ✔️ Fix |
|---|
| The Network Management profile is required. Disable strict multihoming for IPv4 and IPv6. # pfexec ipadm set-prop -p _strict_dst_multihoming=1 ipv4 # pfexec ipadm set-prop -p _strict_dst_multihoming=1 ipv6 |