IP Forwarding Enabled

  • Query id: 7c98538a-81c6-444b-bf04-e60bc3ceeec0
  • Query name: IP Forwarding Enabled
  • Platform: GoogleDeploymentManager
  • Severity: Medium
  • Category: Networking and Firewall
  • CWE: 1188
  • URL: Github

Description

Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
resources:
- name: vm-template
  type: compute.v1.instance
  properties:
    zone: us-central1-a
    machineType: zones/us-central1-a/machineTypes/n1-standard-1
    disks:
    - deviceName: boot
      type: PERSISTENT
      boot: true
      autoDelete: true
      initializeParams:
        sourceImage: projects/debian-cloud/global/images/family/debian-9
    networkInterfaces:
    - network: global/networks/default
    canIpForward: true

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
resources:
- name: vm-template2
  type: compute.v1.instance
  properties:
    zone: us-central1-a
    machineType: zones/us-central1-a/machineTypes/n1-standard-1
    disks:
    - deviceName: boot
      type: PERSISTENT
      boot: true
      autoDelete: true
      initializeParams:
        sourceImage: projects/debian-cloud/global/images/family/debian-9
    networkInterfaces:
    - network: global/networks/default
    canIpForward: false