Provide option to deny sending and receiving shared media redirects

2025-05-02 12:36:04 -04:00 · 2024-11-13 05:42:56 +00:00 · 2024-11-13 05:42:56 +00:00 · 141b84c40d
commit 141b84c40d
parent 18aec201bf
2 changed files with 15 additions and 1 deletions
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -443,6 +443,17 @@ net.ipv4.conf.*.send_redirects=0
 net.ipv6.conf.*.accept_redirects=0
 #net.ipv4.conf.*.secure_redirects=1

+## Deny sending and receiving RFC1620 shared media redirects.
+## Relevant mainly for network interfaces that operate over shared media such as Ethernet hubs.
+## Stops the kernel from sending ICMP redirects to specific networks from the connected network.
+## This variable overrides the use secure_redirects.
+##
+## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
+## https://datatracker.ietf.org/doc/html/rfc1620
+## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html
+##
+#net.ipv4.conf.*.shared_media=0
+
 ## Enable ARP (Address Resolution Protocol) filtering.
 ## Prevents the Linux kernel from handling the ARP table globally
 ## Can mitigate some ARP spoofing and ARP cache poisoning attacks.