From b424a2f9b3b7336054ae620a2da9d8739d36c0fe Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 13 Feb 2019 09:57:40 +0100
Subject: [PATCH] defaults, more hardened defaults, prevent icmp redirects
 being send.

---
 src/etc/config.xml.sample | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/etc/config.xml.sample b/src/etc/config.xml.sample
index 4cb6876bd..097b0eac6 100644
--- a/src/etc/config.xml.sample
+++ b/src/etc/config.xml.sample
@@ -203,6 +203,18 @@
       <tunable>security.bsd.see_other_uids</tunable>
       <value>default</value>
     </item>
+    <item>
+      <descr><![CDATA[Enable/disable sending of ICMP redirects in response to IP packets for which a better,
+        and for the sender directly reachable, route and next hop is known.]]>
+      </descr>
+      <tunable>net.inet.ip.redirect</tunable>
+      <value>0</value>
+    </item>
+    <item>
+      <descr><![CDATA[Enable/disable dropping of ICMP Redirect packets]]></descr>
+      <tunable>net.inet.icmp.drop_redirect</tunable>
+      <value>1</value>
+    </item>
   </sysctl>
   <system>
     <optimization>normal</optimization>