diff --git a/README.md b/README.md
index baa450d..ed9e4d7 100644
--- a/README.md
+++ b/README.md
@@ -105,6 +105,9 @@ Networking:
 - Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP
   cache poisoning attacks.
 
+- Optional - Respond to ARP requests only if the target IP address is
+  on-link, preventing some IP spoofing attacks.
+  
 - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
   via man-in-the-middle and denial-of-service attacks.
 
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 52d31de..a2c3198 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -452,6 +452,13 @@ net.ipv6.conf.*.accept_redirects=0
 ##
 #net.ipv4.conf.*.arp_filter=1
 
+## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link.
+## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses.
+##
+## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
+##
+#net.ipv4.conf.*.arp_ignore=2
+
 ## Drop gratuitous ARP (Address Resolution Protocol) packets.
 ## Stops ARP responses sent by a device without being explicitly requested.
 ## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.