From 2e6e1701a052ef32711f6c3abaad693a773323f6 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Thu, 19 Dec 2024 10:35:08 +0000
Subject: [PATCH] Set `net.ipv4.conf.*.drop_gratuitous_arp=1`

---
 README.md                               | 4 ++--
 usr/lib/sysctl.d/990-security-misc.conf | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index df12ba2..923ee2b 100644
--- a/README.md
+++ b/README.md
@@ -111,8 +111,8 @@ Networking:
 - Optional - Respond to ARP requests only if the target IP address is
   on-link, preventing some IP spoofing attacks.
 
-- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
-  via man-in-the-middle and denial-of-service attacks.
+- Drop gratuitous ARP packets to prevent ARP cache poisoning via
+  man-in-the-middle and denial-of-service attacks.
 
 - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
 
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 4cf6bb6..495de4a 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -482,7 +482,7 @@ net.ipv6.conf.*.accept_redirects=0
 ## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/
 ## https://www.practicalnetworking.net/series/arp/gratuitous-arp/
 ##
-#net.ipv4.conf.*.drop_gratuitous_arp=1
+net.ipv4.conf.*.drop_gratuitous_arp=1
 
 ## Ignore ICMP echo requests.
 ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.