sysctl: For the sake of completeness, do not accept IPv6 redirects

While IPFire 2.x' web interface does not support IPv6, users can
technically run it with IPv6 by conducting the necessary configuration
changes manually.

To provide these systems as well, we should disable acceptance of ICMPv6
redirect packets - which is apparently not default in Linux, yet. :-/

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 7fe397bb71a1fa7b6ce21aae58e7cf5ade8da932..6bf3bc8875a92c3eecf0fd134d2822e9888cd806 100644 (file)
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -31,6 +31,10 @@ vm.min_free_kbytes = 8192
 net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
 
+# However, enable some IPv6 hardening sysctl's in case this system is run customly _with_ IPv6.
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+
 # Enable netfilter accounting
 net.netfilter.nf_conntrack_acct = 1