Provide option to deny sending and receiving shared media redirects

README.md

@@ -102,12 +102,15 @@ Networking:
 - Disable ICMP redirect acceptance and redirect sending messages to prevent
   man-in-the-middle attacks and minimize information disclosure.
 
+- Optional - Deny sending and receiving shared media redirects to reduce
+  the risk of IP spoofing attacks.
+
 - Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP
   cache poisoning attacks.
 
 - Optional - Respond to ARP requests only if the target IP address is
   on-link, preventing some IP spoofing attacks.
-  
+
 - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
   via man-in-the-middle and denial-of-service attacks.
 

usr/lib/sysctl.d/990-security-misc.conf

@@ -443,6 +443,17 @@ net.ipv4.conf.*.send_redirects=0
 net.ipv6.conf.*.accept_redirects=0
 #net.ipv4.conf.*.secure_redirects=1
 
+## Deny sending and receiving RFC1620 shared media redirects.
+## Relevant mainly for network interfaces that operate over shared media such as Ethernet hubs.
+## Stops the kernel from sending ICMP redirects to specific networks from the connected network.
+## This variable overrides the use secure_redirects.
+##
+## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
+## https://datatracker.ietf.org/doc/html/rfc1620
+## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html
+##
+#net.ipv4.conf.*.shared_media=0
+
 ## Enable ARP (Address Resolution Protocol) filtering.
 ## Prevents the Linux kernel from handling the ARP table globally
 ## Can mitigate some ARP spoofing and ARP cache poisoning attacks.