Merge branch 'Kicksecure:master' into docs

usr/lib/sysctl.d/990-security-misc.conf

@@ -284,8 +284,14 @@ net.ipv4.conf.default.rp_filter=1
 
 ## Disable ICMP redirect acceptance and redirect sending messages.
 ## Prevents man-in-the-middle attacks and minimizes information disclosure.
+## If ICMP redirects are permitted, accept messages only through approved gateways (kernel default).
+## Approving gateways requires the managing of a default gateway list.
 ##
+## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing
+## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html
+## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html
 ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked
+## https://github.com/Kicksecure/security-misc/pull/248
 ##
 net.ipv4.conf.all.accept_redirects=0
 net.ipv4.conf.default.accept_redirects=0
@@ -293,12 +299,8 @@ net.ipv4.conf.all.send_redirects=0
 net.ipv4.conf.default.send_redirects=0
 net.ipv6.conf.all.accept_redirects=0
 net.ipv6.conf.default.accept_redirects=0
-
-## Accept ICMP redirect messages only for approved gateways.
-## If ICMP redirect messages are permitted, only useful if managing a default gateway list.
-##
-net.ipv4.conf.all.secure_redirects=0
-net.ipv4.conf.default.secure_redirects=0
+#net.ipv4.conf.all.secure_redirects=1
+#net.ipv4.conf.default.secure_redirects=1
 
 ## Ignore ICMP echo requests.
 ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.