defaults, more hardened defaults, prevent icmp redirects being send.

2026-03-20 03:16:12 +00:00 · 2019-02-13 09:57:40 +01:00 · 2019-02-13 09:57:40 +01:00 · b424a2f9b3
commit b424a2f9b3
parent 7eb9a4f755
1 changed files with 12 additions and 0 deletions
--- a/src/etc/config.xml.sample
+++ b/src/etc/config.xml.sample
@ -203,6 +203,18 @@
      <tunable>security.bsd.see_other_uids</tunable>
      <value>default</value>
    </item>
+    <item>
+      <descr><![CDATA[Enable/disable sending of ICMP redirects in response to IP packets for which a better,
+        and for the sender directly reachable, route and next hop is known.]]>
+      </descr>
+      <tunable>net.inet.ip.redirect</tunable>
+      <value>0</value>
+    </item>
+    <item>
+      <descr><![CDATA[Enable/disable dropping of ICMP Redirect packets]]></descr>
+      <tunable>net.inet.icmp.drop_redirect</tunable>
+      <value>1</value>
+    </item>
  </sysctl>
  <system>
    <optimization>normal</optimization>