sysctl: For the sake of completeness, do not accept IPv6 redirects
Commit Message
While IPFire 2.x' web interface does not support IPv6, users can
technically run it with IPv6 by conducting the necessary configuration
changes manually.
To provide these systems as well, we should disable acceptance of ICMPv6
redirect packets - which is apparently not default in Linux, yet. :-/
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/etc/sysctl.conf | 4 ++++
1 file changed, 4 insertions(+)
Comments
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
> On 7 Jun 2022, at 21:09, Peter Müller <peter.mueller@ipfire.org> wrote:
>
> While IPFire 2.x' web interface does not support IPv6, users can
> technically run it with IPv6 by conducting the necessary configuration
> changes manually.
>
> To provide these systems as well, we should disable acceptance of ICMPv6
> redirect packets - which is apparently not default in Linux, yet. :-/
>
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> config/etc/sysctl.conf | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
> index 7fe397bb7..6bf3bc887 100644
> --- a/config/etc/sysctl.conf
> +++ b/config/etc/sysctl.conf
> @@ -31,6 +31,10 @@ vm.min_free_kbytes = 8192
> net.ipv6.conf.all.disable_ipv6 = 1
> net.ipv6.conf.default.disable_ipv6 = 1
>
> +# However, enable some IPv6 hardening sysctl's in case this system is run customly _with_ IPv6.
> +net.ipv6.conf.all.accept_redirects = 0
> +net.ipv6.conf.default.accept_redirects = 0
> +
> # Enable netfilter accounting
> net.netfilter.nf_conntrack_acct = 1
>
> --
> 2.35.3
@@ -31,6 +31,10 @@ vm.min_free_kbytes = 8192
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
+# However, enable some IPv6 hardening sysctl's in case this system is run customly _with_ IPv6.
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+
# Enable netfilter accounting
net.netfilter.nf_conntrack_acct = 1