2 files changed, 28 insertions, 0 deletions

diff --git a/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml
new file mode 100644
index 00000000..0f226a84
--- /dev/null
+++ b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml
@@ -0,0 +1,19 @@
+---
+upgrade:
+  - The net.ipv4.conf.default.send_redirects & net.ipv4.conf.all.send_redirects
+    are now set to 0 to prevent a compromised host from sending invalid ICMP
+    redirects to other router devices.
+  - The net.ipv4.conf.default.accept_redirects,
+    net.ipv6.conf.default.accept_redirects & net.ipv6.conf.all.accept_redirects
+    are now set to 0 to prevent forged ICMP packet from altering host's routing
+    tables.
+  - The net.ipv4.conf.default.secure_redirects &
+    net.ipv4.conf.all.secure_redirects are now set to 0 to disable acceptance
+    of secure ICMP redirected packets.
+security:
+  - Invalide ICMP redirects may corrupt routing and have users access a system
+    set up by the attacker as opposed to a valid system.
+  - Routing tables may be altered by bogus ICMP redirect messages and send
+    packets to incorrect networks.
+  - Secure ICMP redirects are the same as ICMP redirects, except they come from
+    gateways listed on the default gateway list.
diff --git a/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml
new file mode 100644
index 00000000..bb2543f2
--- /dev/null
+++ b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml
@@ -0,0 +1,9 @@
+---
+upgrade:
+  - |
+    The net.ipv4.conf.default.log_martians & net.ipv4.conf.all.log_martians are
+    now set to 1 to enable logging of suspicious packets.
+security:
+  - |
+    Logging of suspicious packets allows an administrator to investigate the
+    spoofed packets sent to their system.