For IT professionals and Managed Service Providers (MSPs), ensuring the security and proper behavior of network protocols on managed endpoints is a continuous responsibility. Learning how to enable or disable macOS ICMP Redirects—while sometimes necessary for route optimization—can also open doors to network-based attacks if left unchecked. On macOS, managing these settings often requires terminal-level access and administrative control, making automation through shell scripting not only practical but essential in larger environments.
Background
ICMP Redirects allow routers to inform hosts of better gateways for routing packets, which can optimize network performance. However, they also introduce a security risk if a malicious actor sends spoofed redirect messages, potentially rerouting traffic through a compromised node. For environments prioritizing security, especially within government or compliance-focused sectors, disabling ICMP Redirects is often a requirement.
The script discussed here provides a configurable, command-line-based method to enable or disable ICMP Redirects on macOS systems. It’s especially useful for IT administrators managing fleets of Macs via automation platforms like NinjaOne or Munki.
The Script
#!/usr/bin/env bash
# Description: Enable or Disable ICMP Redirects on the system.
# By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
# Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
# Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
# Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider.
# Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
# Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
# Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
# EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
#
# Release Notes: Initial Release
#
# Usage: [-enable|-disable]
#
# Preset Parameter: --enable
# Enable ICMP Redirects on the system.
#
# Preset Parameter: --disable
# Disable ICMP Redirects on the system.
#
# Preset Parameter: --help
# Displays this help menu.
_arg_enable="off"
_arg_disable="off"
die() {
local _ret="${2:-1}"
echo "$1" >&2
exit "${_ret}"
}
# Function to print the help message
print_help() {
printf '\n\n%s\n\n' 'Usage: [--enable|-e] [--disable|-d] [--help|-h]'
printf '%s\n' 'Preset Parameter: --enable'
printf '\t%s\n' "Enable ICMP Redirects on the system."
printf '%s\n' 'Preset Parameter: --disable'
printf '\t%s\n' "Disable ICMP Redirects on the system."
printf '%s\n' 'Preset Parameter: --help'
printf '\t%s\n' "Displays this help menu."
}
# read command line arguments
while test $# -gt 0; do
_key="$1"
case "$_key" in
--enable | -e)
_arg_enable="on"
;;
--disable | -d)
_arg_disable="on"
;;
--help | -h)
print_help
exit 0
;;
*)
die "FATAL ERROR: Got an unexpected argument '$1'" 1
;;
esac
shift
done
if [[ "${action}" == "Enable" ]]; then
# Enable ICMP Redirects
_arg_enable="on"
_arg_disable="off"
elif [[ "${action}" == "Disable" ]]; then
# Disable ICMP Redirects
_arg_enable="off"
_arg_disable="on"
else
# Default to enable
_arg_enable="on"
_arg_disable="off"
fi
# Check if the script is running as root
if [[ $EUID -ne 0 ]]; then
die "[Error] This script must be run as root." 1
fi
_redirectsv4=$(sysctl net.inet.ip.redirect | awk '{print $2}')
_redirectsv6=$(sysctl net.inet6.ip6.redirect | awk '{print $2}')
# Check if ICMP Redirects are already enabled or disabled
if ((_redirectsv4 == 1)) && ((_redirectsv6 == 1)) && [[ $_arg_enable == "on" ]]; then
echo "[Info] ICMP IPv4 Redirects already enabled."
echo "[Info] ICMP IPv6 Redirects already enabled."
exit 0
elif ((_redirectsv4 == 0)) && ((_redirectsv6 == 0)) && [[ $_arg_disable == "on" ]]; then
echo "[Info] ICMP IPv4 Redirects already disabled."
echo "[Info] ICMP IPv6 Redirects already disabled."
exit 0
fi
# Enable ICMP Redirects
if [[ $_arg_enable == "on" ]]; then
if ! sysctl net.inet.ip.redirect=1; then
echo "[Error] Failed to enable ICMP IPv4 Redirects."
exit 1
fi
echo "[Info] ICMP IPv4 Redirects enabled."
if ! sysctl net.inet6.ip6.redirect=1; then
echo "[Error] Failed to enable ICMP IPv6 Redirects."
exit 1
fi
echo "[Info] ICMP IPv6 Redirects enabled."
# Disable ICMP Redirects
elif [[ $_arg_disable == "on" ]]; then
if ! sysctl net.inet.ip.redirect=0; then
echo "[Error] Failed to disable ICMP IPv4 Redirects."
exit 1
fi
echo "[Info] ICMP IPv4 Redirects disabled."
if ! sysctl net.inet6.ip6.redirect=0; then
echo "[Error] Failed to disable ICMP IPv6 Redirects."
exit 1
fi
echo "[Info] ICMP IPv6 Redirects disabled."
elif [[ "${_arg_enable}" == "off" ]] && [[ "${_arg_disable}" == "off" ]]; then
echo "[Error] No action was given. Please specify either Enable or Disable."
exit 1
fi
Detailed Breakdown
This script is written in Bash and is designed to be run with root privileges. Below is a step-by-step overview of how it operates:
- Parameter Handling
The script accepts three parameters:- –enable or -e: Enables ICMP Redirects.
- –disable or -d: Disables ICMP Redirects.
- –help or -h: Displays usage instructions.
- Default Behavior
If no arguments are passed but the environment variable action is set to either Enable or Disable, the script adjusts behavior accordingly. Otherwise, it defaults to enabling ICMP Redirects. - Root Privilege Validation
The script checks if it’s being run as the root user and exits with an error if not. This is necessary because modifying sysctl settings requires elevated permissions. - State Inspection
It reads the current ICMP Redirect status using sysctl for both IPv4 (net.inet.ip.redirect) and IPv6 (net.inet6.ip6.redirect). - Redundancy Checks
If the requested action is already in place (e.g., ICMP Redirects are already disabled and –disable is passed), the script exits early with an informational message. - Configuration Execution
Depending on the selected action, the script uses sysctl to enable or disable the relevant settings and outputs the result.
Potential Use Cases
Case Study: Securing macOS Devices in a Financial Institution
A financial firm with strict regulatory requirements around network security wants to ensure ICMP Redirects are disabled on all employee MacBooks. The IT department integrates this script into NinjaOne as a custom script policy. With a simple push, the script runs across all managed endpoints, ensuring compliance without manual intervention.
Comparisons
Other methods of managing ICMP Redirects on macOS include:
- Manual Editing of sysctl.conf (Deprecated): Older macOS versions allowed persistent changes via /etc/sysctl.conf, which is no longer supported.
- Using Configuration Profiles: While profiles can enforce settings, they are more complex to configure and deploy, especially for temporary changes.
- Third-party Tools: Some endpoint management solutions include GUI toggles for network settings, but they lack the transparency and flexibility of a shell script.
This script strikes a balance between simplicity and control, making it ideal for automated workflows.
FAQs
Q: Does this script persist settings after reboot?
A: No, macOS does not persist sysctl settings by default. You would need to automate it via launch daemons or configuration profiles for persistent changes.
Q: Can this script run without root?
A: No, modifying sysctl settings requires root privileges.
Q: Will this affect network connectivity?
A: Disabling ICMP Redirects can impact routing efficiency but is generally safe on well-managed, static-route networks.
Implications
Disabling ICMP Redirects helps mitigate man-in-the-middle attacks and routing spoofing. However, it may also prevent legitimate route optimizations in dynamic networks. IT teams should weigh security versus performance, especially in mobile or hybrid environments.
From a compliance perspective, controlling ICMP behavior is often part of security benchmarks like CIS or NIST guidelines. Ensuring this setting is managed via scripting allows for easier auditing and reporting.
Recommendations
- Always test the script in a development environment before deploying it fleet-wide.
- For persistence, consider pairing this script with a launch daemon or including it in a provisioning workflow.
- Use monitoring tools to alert administrators if the ICMP settings deviate from policy.
- Document the rationale for enabling or disabling ICMP Redirects in your organization’s security policy.
Final Thoughts
Automating network configuration tasks like managing ICMP Redirects is a small but meaningful step toward a secure macOS environment. Tools like NinjaOne amplify the impact of such scripts by enabling centralized deployment, auditing, and remediation.
For organizations managing dozens or hundreds of Mac endpoints, a simple shell script like this—combined with NinjaOne’s powerful automation capabilities—transforms a manual task into a secure, scalable process. Whether you’re locking down your endpoints for compliance or simply reducing network risk, configuring ICMP Redirects in macOS with shell scripting is a valuable tactic in your cybersecurity playbook.