By default, don't accept IPv4 ICMP redirects. This behaviour can be

changed with a sysctl, so note it in sysctl.conf. v6 needs further
testing following discussions on the tech mailing list; rainer@ points
out possible interactions with neighbour discovery which need to be
investigated first.
"go ahead on the v4 part" deraadt@

src/etc/sysctl.conf

@@ -1,4 +1,4 @@
-#	$OpenBSD: sysctl.conf,v 1.46 2008/01/05 18:38:37 mbalmer Exp $
+#	$OpenBSD: sysctl.conf,v 1.47 2009/06/09 11:52:54 sthen Exp $
 #
 # This file contains a list of sysctl options the user wants set at
 # boot time.  See sysctl(3) and sysctl(8) for more information on
@@ -7,6 +7,8 @@
 #net.inet.ip.forwarding=1	# 1=Permit forwarding (routing) of IPv4 packets
 #net.inet.ip.mforwarding=1	# 1=Permit forwarding (routing) of IPv4 multicast packets
 #net.inet.ip.multipath=1	# 1=Enable IP multipath routing
+#net.inet.icmp.rediraccept=1	# 1=Accept ICMP redirects
+#net.inet6.icmp6.rediraccept=0	# 0=Don't accept IPv6 ICMP redirects
 #net.inet6.ip6.forwarding=1	# 1=Permit forwarding (routing) of IPv6 packets
 #net.inet6.ip6.mforwarding=1	# 1=Permit forwarding (routing) of IPv6 multicast packets
 #net.inet6.ip6.multipath=1	# 1=Enable IPv6 multipath routing