From patchwork Tue Jun  7 20:09:07 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 5650
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4LHhK359Hzz3yZC
	for <patchwork@web04.haj.ipfire.org>; Tue,  7 Jun 2022 20:09:27 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4LHhK23WmSz1GC;
	Tue,  7 Jun 2022 20:09:26 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4LHhK21Dx4z2y51;
	Tue,  7 Jun 2022 20:09:26 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
 client-signature ECDSA (P-384) client-digest SHA384)
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4LHhK04wp2z2xMy
 for <development@lists.ipfire.org>; Tue,  7 Jun 2022 20:09:24 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4LHhJz24RGzyF
 for <development@lists.ipfire.org>; Tue,  7 Jun 2022 20:09:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1654632564;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=JsPjwHNgj5PPo2do82AG9f75faAjqORQ9nDUhhAaNA4=;
 b=omN6lqc5ghBk/7u1LE8FMPVjG9zXOiimQdgVte37bNvzeLbibCDoKGhDUp15AcDnUZJI3q
 DWH6dzZ25TEsUOD2MwCFpzZbvv+0aYnhLAexKcGn3aHKGjdS+uXWe/hANKQSQ2oM+nMdjJ
 Es5Gw6nKt7heRyLlGmb0dxYkD8Vqmn4HX3IXa9VxzU23XUerI55vHCpUQdDP5pg+LngnUd
 mzBJ0uhux2sr6LqOFJaao1nNW/nTJVvivKzHCyTKu+ggKWtT35g+gQu6EB/cZwIQHwJfVK
 SA1bs+zy8E7vH5j0Uhpztkfedzuv5dBBgHtOqKhC+zkfQPCuGMYSwvBEUlQXrw==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1654632564;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=JsPjwHNgj5PPo2do82AG9f75faAjqORQ9nDUhhAaNA4=;
 b=AJ11ZOckntU/OgUDSpleeH1GTC9NvcLdKPPbxGpdW/pFAI7f+6FDFsptwy1y89ZUfcAyhu
 SLjJbvTXhihH54DQ==
Message-ID: <0e8d69d7-fa5d-3884-620e-6aa41c0198a0@ipfire.org>
Date: Tue, 7 Jun 2022 20:09:07 +0000
MIME-Version: 1.0
Content-Language: en-US
To: "IPFire: Development" <development@lists.ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Subject: [PATCH] sysctl: For the sake of completeness, do not accept IPv6
 redirects
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

While IPFire 2.x' web interface does not support IPv6, users can
technically run it with IPv6 by conducting the necessary configuration
changes manually.

To provide these systems as well, we should disable acceptance of ICMPv6
redirect packets - which is apparently not default in Linux, yet. :-/

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/etc/sysctl.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 7fe397bb7..6bf3bc887 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -31,6 +31,10 @@ vm.min_free_kbytes = 8192
 net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
 
+# However, enable some IPv6 hardening sysctl's in case this system is run customly _with_ IPv6.
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+
 # Enable netfilter accounting
 net.netfilter.nf_conntrack_acct = 1