tripleo-heat-templates/releasenotes/notes/disable-kernel-parameter-fo...

20 lines
980 B
YAML

---
upgrade:
- The net.ipv4.conf.default.send_redirects & net.ipv4.conf.all.send_redirects
are now set to 0 to prevent a compromised host from sending invalid ICMP
redirects to other router devices.
- The net.ipv4.conf.default.accept_redirects,
net.ipv6.conf.default.accept_redirects & net.ipv6.conf.all.accept_redirects
are now set to 0 to prevent forged ICMP packet from altering host's routing
tables.
- The net.ipv4.conf.default.secure_redirects &
net.ipv4.conf.all.secure_redirects are now set to 0 to disable acceptance
of secure ICMP redirected packets.
security:
- Invalide ICMP redirects may corrupt routing and have users access a system
set up by the attacker as opposed to a valid system.
- Routing tables may be altered by bogus ICMP redirect messages and send
packets to incorrect networks.
- Secure ICMP redirects are the same as ICMP redirects, except they come from
gateways listed on the default gateway list.