Why is ip forwarding for a ECS instance being flagged as a vulnerability?
I am very new to this and was asked to address some security patches on various ec2 instances in our AWS account. Mostly this was a matter of using the Security Manager to connect to the instance and running "yum update whatever". One of the notes was that we had IP forwarding enabled on some instances which were used as ECS containers, i.e. docker hosts, but the notes only gave instructions on how to turn it off by adding "sysctl -w net.ipv4.ip_forward=0" to the startup script. A search revealed to me that Docker relies on port forwarding to make Docker networking work and indeed, when we tried turning it off, it began throwing 504 errors.
I want to be able to explain why this isn't a security vulnerability here, but I am not sure I understand the issue. Our ECS cluster is fronted with a load balancer and a AWS WAF firewall in front of that. I gather that ip forwarding isn't a risk in and of itself (https://serverfault.com/questions/749682/ip-forwarding-on-linux-anything-important-to-make-sure-to-do-or-know), but am not sure how an attacker can use it.
I found this stating "If an attacker knows your IP and Port, he can send malicious data and try to gain access to the computer, be it your own pc, or a gaming server. Port forwarding is a rule that allows your application to negotiate with a firewall, be it from your own computer, server or router to pass data with the outside world." I understand that NATing works by assigning a random port to a request and when a response is received, forwarding the response to the node with the IP associated with that random port. The port itself isn't necessarily associated with a running application, is it? Could it be associated with a running application?
