Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 7 Jun 2022, at 21:09, Peter Müller peter.mueller@ipfire.org wrote:
While IPFire 2.x' web interface does not support IPv6, users can technically run it with IPv6 by conducting the necessary configuration changes manually.
To provide these systems as well, we should disable acceptance of ICMPv6 redirect packets - which is apparently not default in Linux, yet. :-/
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/etc/sysctl.conf | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 7fe397bb7..6bf3bc887 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -31,6 +31,10 @@ vm.min_free_kbytes = 8192 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
+# However, enable some IPv6 hardening sysctl's in case this system is run customly _with_ IPv6. +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0
# Enable netfilter accounting net.netfilter.nf_conntrack_acct = 1
-- 2.35.3