From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] sysctl: For the sake of completeness, do not accept IPv6 redirects Date: Mon, 13 Jun 2022 15:13:11 +0100 Message-ID: <9FC6981C-5F81-48FE-AB2A-EA540C855251@ipfire.org> In-Reply-To: <0e8d69d7-fa5d-3884-620e-6aa41c0198a0@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7431879083349019801==" List-Id: --===============7431879083349019801== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Michael Tremer > On 7 Jun 2022, at 21:09, Peter M=C3=BCller wro= te: >=20 > While IPFire 2.x' web interface does not support IPv6, users can > technically run it with IPv6 by conducting the necessary configuration > changes manually. >=20 > To provide these systems as well, we should disable acceptance of ICMPv6 > redirect packets - which is apparently not default in Linux, yet. :-/ >=20 > Signed-off-by: Peter M=C3=BCller > --- > config/etc/sysctl.conf | 4 ++++ > 1 file changed, 4 insertions(+) >=20 > diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf > index 7fe397bb7..6bf3bc887 100644 > --- a/config/etc/sysctl.conf > +++ b/config/etc/sysctl.conf > @@ -31,6 +31,10 @@ vm.min_free_kbytes =3D 8192 > net.ipv6.conf.all.disable_ipv6 =3D 1 > net.ipv6.conf.default.disable_ipv6 =3D 1 >=20 > +# However, enable some IPv6 hardening sysctl's in case this system is run = customly _with_ IPv6. > +net.ipv6.conf.all.accept_redirects =3D 0 > +net.ipv6.conf.default.accept_redirects =3D 0 > + > # Enable netfilter accounting > net.netfilter.nf_conntrack_acct =3D 1 >=20 > --=20 > 2.35.3 --===============7431879083349019801==--