Merge "Fix IP config security violations in sysctl.conf"

initscripts-config/files/sysctl.conf

@@ -42,23 +42,30 @@ net.ipv4.conf.all.rp_filter=1
 # Ignore ICMP broadcasts
 #net.ipv4.icmp_echo_ignore_broadcasts = 1
 #
-# Ignore bogus ICMP errors
-#net.ipv4.icmp_ignore_bogus_error_responses = 1
+# Set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses
+# kernel parameter to enable Kernel Parameter to Ignore Bogus ICMP Error
+# Responses on IPv4 Interfaces.
+# Ignoring bogus ICMP error responses reduces log size, although some
+# activity would not be logged.
+net.ipv4.icmp_ignore_bogus_error_responses = 1
 #
 # Do not accept ICMP redirects (prevent MITM attacks)
-#net.ipv4.conf.all.accept_redirects = 0
-#net.ipv6.conf.all.accept_redirects = 0
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
 # _or_
 # Accept ICMP redirects only for gateways listed in our default
 # gateway list (enabled by default)
-# net.ipv4.conf.all.secure_redirects = 1
+# Accepting "secure" ICMP redirects (from those gateways listed as default
+# gateways) has few legitimate uses. It should be disabled unless it is
+# absolutely required.
+net.ipv4.conf.all.secure_redirects = 0
 #
 # Do not send ICMP redirects (we are not a router)
-#net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
 #
 # Do not accept IP source route packets (we are not a router)
 #net.ipv4.conf.all.accept_source_route = 0
-#net.ipv6.conf.all.accept_source_route = 0
+net.ipv6.conf.all.accept_source_route = 0
 #
 # Log Martian Packets
 #net.ipv4.conf.all.log_martians = 1
@@ -105,3 +112,43 @@ net.ipv4.ip_local_reserved_ports=35357,44134-44136
 # it in the code we control, but this will keep the number at a reasonable
 # size if an application is poorly behaved.
 fs.negative-dentry-limit=20
+# Set the runtime status of the - net.ipv6.conf.default.accept_redirects -
+# kernel parameter to disable Kernel Parameter for Accepting ICMP Redirects
+# by Default on IPv6 Interfaces.
+# An illicit ICMP redirect message could result in a man-in-the-middle attack.
+net.ipv6.conf.default.accept_redirects = 0
+
+# Set the runtime status of the net.ipv4.conf.default.accept_redirects kernel
+# parameter, to disable Kernel Parameter for Accepting ICMP Redirects by Default
+# on IPv4 Interfaces.
+# ICMP redirect messages are used by routers to inform hosts that a more direct
+# route exists for a particular destination.
+# These messages modify the host's route table and are unauthenticated.
+# An illicit ICMP redirect message could result in a man-in-the-middle attack.
+# This feature of the IPv4 protocol has few legitimate uses. It should be
+# disabled unless absolutely required.
+net.ipv4.conf.default.accept_redirects = 0
+
+# Set the runtime status of the net.ipv4.conf.default.send_redirects kernel
+# parameter, to disable Kernel Parameter for Sending ICMP Redirects on all
+# IPv4 Interfaces by Default.
+# ICMP redirect messages are used by routers to inform hosts that a more
+# direct route exists for a particular destination. These messages contain
+# information from the system's route table possibly revealing portions of
+# the network topology.
+# The ability to send ICMP redirects is only appropriate for systems acting
+# as routers.
+net.ipv4.conf.default.send_redirects = 0
+
+# Set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter
+# to disable Accepting Router Advertisements on all IPv6 Interfaces by Default
+# An illicit router advertisement message could result in a man-in-the-middle
+# attack.
+net.ipv6.conf.default.accept_ra = 0
+
+# Set the runtime status of the net.ipv4.conf.default.secure_redirects kernel
+# parameter.
+# Accepting "secure" ICMP redirects (from those gateways listed as default
+# gateways) has few legitimate uses.
+# It should be disabled unless it is absolutely required.
+net.ipv4.conf.default.secure_redirects = 0