From 84d6e931508cf0c2b31a0b1b7923d6bda84414c2 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Peter=20M=C3=BCller?= Date: Tue, 7 Jun 2022 20:09:07 +0000 Subject: [PATCH] sysctl: For the sake of completeness, do not accept IPv6 redirects MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit While IPFire 2.x' web interface does not support IPv6, users can technically run it with IPv6 by conducting the necessary configuration changes manually. To provide these systems as well, we should disable acceptance of ICMPv6 redirect packets - which is apparently not default in Linux, yet. :-/ Signed-off-by: Peter Müller Reviewed-by: Michael Tremer --- config/etc/sysctl.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 7fe397bb71..6bf3bc8875 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -31,6 +31,10 @@ vm.min_free_kbytes = 8192 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 +# However, enable some IPv6 hardening sysctl's in case this system is run customly _with_ IPv6. +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0 + # Enable netfilter accounting net.netfilter.nf_conntrack_acct = 1 -- 2.39.5