From 88c88187f2909322211cc08598717068ea7cf1d1 Mon Sep 17 00:00:00 2001
From: Raja Grewal <rg_public@proton.me>
Date: Wed, 24 Jul 2024 17:26:50 +1000
Subject: [PATCH] Re-enable (default) `secure_redirects` for ICMP redirect
 messages

---
 README.md                               | 3 +--
 usr/lib/sysctl.d/990-security-misc.conf | 9 +++------
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 5e029c8..02fd18e 100644
--- a/README.md
+++ b/README.md
@@ -72,8 +72,7 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
   from all interfaces to prevent IP spoofing.
 
 - Disable ICMP redirect acceptance and redirect sending messages to
-  prevent man-in-the-middle attacks and minimize information disclosure. If
-  ICMP redirect messages are permitted, only do so from approved gateways.
+  prevent man-in-the-middle attacks and minimize information disclosure.
 
 - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
 
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 7b07033..8fe680c 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -260,6 +260,9 @@ net.ipv4.conf.default.rp_filter=1
 ## Disable ICMP redirect acceptance and redirect sending messages.
 ## Prevents man-in-the-middle attacks and minimizes information disclosure.
 ##
+## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing
+## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html
+## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html
 ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked
 ##
 net.ipv4.conf.all.accept_redirects=0
@@ -269,12 +272,6 @@ net.ipv4.conf.default.send_redirects=0
 net.ipv6.conf.all.accept_redirects=0
 net.ipv6.conf.default.accept_redirects=0
 
-## Accept ICMP redirect messages only for approved gateways.
-## If ICMP redirect messages are permitted, only useful if managing a default gateway list.
-##
-net.ipv4.conf.all.secure_redirects=0
-net.ipv4.conf.default.secure_redirects=0
-
 ## Ignore ICMP echo requests.
 ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
 ##