system: as a POC move this security setting to the automatic sysctls #…

…7440 This might not work for all values as we would maybe like the have the FreeBSD default itself to work its magic. For security relevant things bootstrapping the value is useful, but for buffer sizes it might not be. (cherry picked from commit 24f36bf)
opnsense · May 22, 2024 · 04e5c21 · 04e5c21
1 parent 3b49f8a
commit 04e5c21
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 10 deletions.
diff --git a/src/etc/config.xml.sample b/src/etc/config.xml.sample
@@ -186,15 +186,6 @@
       <tunable>net.inet.ip.redirect</tunable>
       <value>default</value>
     </item>
-    <item>
-      <descr><![CDATA[
-        Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
-        to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
-        packets without returning a response.
-      ]]></descr>
-      <tunable>net.inet.icmp.drop_redirect</tunable>
-      <value>1</value>
-    </item>
     <item>
       <descr><![CDATA[Maximum outgoing UDP datagram size]]></descr>
       <tunable>net.local.dgram.maxdgram</tunable>

diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
@@ -81,7 +81,7 @@ function system_sysctl_defaults()
         'net.enc.in.ipsec_filter_mask' => [ 'default' => '2', 'required' => true ], /* after processing */
         'net.enc.out.ipsec_bpf_mask' => [ 'default' => '1', 'required' => true ], /* before processing */
         'net.enc.out.ipsec_filter_mask' => [ 'default' => '1', 'required' => true ], /* before processing */
-        'net.inet.icmp.drop_redirect' => [ 'default' => '0' ],
+        'net.inet.icmp.drop_redirect' => [ 'default' => '1', 'required' => true ],
         'net.inet.icmp.icmplim' => [ 'default' => '0' ],
         'net.inet.icmp.log_redirect' => [ 'default' => '0' ],
         'net.inet.icmp.reply_from_interface' => [ 'default' => '1', 'required' => true ],