Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-08-07 03:34:24 -04:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #289 from raja-grewal/arp_filter

Browse source 
Enable ARP filtering
This commit is contained in:
Patrick Schleizer 2025-01-10 10:28:48 -05:00 committed by GitHub
commit 17ff249150
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 3 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -105,8 +105,7 @@ Networking:
- Deny sending and receiving shared media redirects to reduce the risk of IP - Deny sending and receiving shared media redirects to reduce the risk of IP
spoofing attacks. spoofing attacks.
- Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP - Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks.
cache poisoning attacks.
- Optional - Respond to ARP requests only if the target IP address is - Optional - Respond to ARP requests only if the target IP address is
on-link, preventing some IP spoofing attacks. on-link, preventing some IP spoofing attacks.

4
usr/lib/sysctl.d/990-security-misc.conf
View file

@ -454,13 +454,13 @@ net.ipv6.conf.*.accept_redirects=0
net.ipv4.conf.*.shared_media=0 net.ipv4.conf.*.shared_media=0
## Enable ARP (Address Resolution Protocol) filtering. ## Enable ARP (Address Resolution Protocol) filtering.
## Prevents the Linux kernel from handling the ARP table globally ## Prevents the Linux kernel from handling the ARP table globally.
## Can mitigate some ARP spoofing and ARP cache poisoning attacks. ## Can mitigate some ARP spoofing and ARP cache poisoning attacks.
## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests. ## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests.
## ##
## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf ## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
## ##
#net.ipv4.conf.*.arp_filter=1 net.ipv4.conf.*.arp_filter=1
## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link. ## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link.
## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses. ## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses.