diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index fd51343..3cebc76 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -252,16 +252,22 @@ net.ipv4.conf.all.rp_filter=1
 net.ipv4.conf.default.rp_filter=1
 
 ## Disable ICMP redirect acceptance and redirect sending messages.
-## Prevents man-in-the-middle attacks and minimises information disclosure. 
+## Prevents man-in-the-middle attacks and minimises information disclosure.
+##
+## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked
 ##
 net.ipv4.conf.all.accept_redirects=0
 net.ipv4.conf.default.accept_redirects=0
-net.ipv4.conf.all.secure_redirects=0
-net.ipv4.conf.default.secure_redirects=0
-net.ipv6.conf.all.accept_redirects=0
-net.ipv6.conf.default.accept_redirects=0
 net.ipv4.conf.all.send_redirects=0
 net.ipv4.conf.default.send_redirects=0
+net.ipv6.conf.all.accept_redirects=0
+net.ipv6.conf.default.accept_redirects=0
+
+## Accept ICMP redirect messages only for approved gateways.
+## If ICMP redirect messages are permitted, only useful if managing a default gateway list.
+##
+net.ipv4.conf.all.secure_redirects=0
+net.ipv4.conf.default.secure_redirects=0
 
 ## Ignore ICMP echo requests.
 ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.