diff --git a/README.md b/README.md
index 02fd18e..5e029c8 100644
--- a/README.md
+++ b/README.md
@@ -72,7 +72,8 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
   from all interfaces to prevent IP spoofing.
 
 - Disable ICMP redirect acceptance and redirect sending messages to
-  prevent man-in-the-middle attacks and minimize information disclosure.
+  prevent man-in-the-middle attacks and minimize information disclosure. If
+  ICMP redirect messages are permitted, only do so from approved gateways.
 
 - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
 
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 8fe680c..39d0539 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -272,6 +272,12 @@ net.ipv4.conf.default.send_redirects=0
 net.ipv6.conf.all.accept_redirects=0
 net.ipv6.conf.default.accept_redirects=0
 
+## Accept ICMP redirect messages only for approved gateways.
+## If ICMP redirect messages are permitted, only useful if managing a default gateway list.
+##
+net.ipv4.conf.all.secure_redirects=1
+net.ipv4.conf.default.secure_redirects=1
+
 ## Ignore ICMP echo requests.
 ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
 ##