From c37f4efadf8f046168732871172cb66f58eb7c78 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Thu, 19 Dec 2024 10:33:49 +0000
Subject: [PATCH] Set `net.ipv4.conf.*.arp_ignore=2`

---
 README.md                               | 4 ++--
 usr/lib/sysctl.d/990-security-misc.conf | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index df12ba2..3eb30d6 100644
--- a/README.md
+++ b/README.md
@@ -108,8 +108,8 @@ Networking:
 - Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP
   cache poisoning attacks.
 
-- Optional - Respond to ARP requests only if the target IP address is
-  on-link, preventing some IP spoofing attacks.
+- Respond to ARP requests only if the target IP address is  on-link,
+  preventing some IP spoofing attacks.
 
 - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
   via man-in-the-middle and denial-of-service attacks.
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 4cf6bb6..fc176d3 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -470,7 +470,7 @@ net.ipv6.conf.*.accept_redirects=0
 ## https://github.com/mullvad/mullvadvpn-app/pull/7141
 ## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf
 ##
-#net.ipv4.conf.*.arp_ignore=2
+net.ipv4.conf.*.arp_ignore=2
 
 ## Drop gratuitous ARP (Address Resolution Protocol) packets.
 ## Stops ARP responses sent by a device without being explicitly requested.