diff --git a/README.md b/README.md
index e167a87..baa450d 100644
--- a/README.md
+++ b/README.md
@@ -102,6 +102,9 @@ Networking:
 - Disable ICMP redirect acceptance and redirect sending messages to prevent
   man-in-the-middle attacks and minimize information disclosure.
 
+- Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP
+  cache poisoning attacks.
+
 - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
   via man-in-the-middle and denial-of-service attacks.
 
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 054dcbf..52d31de 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -443,6 +443,15 @@ net.ipv4.conf.*.send_redirects=0
 net.ipv6.conf.*.accept_redirects=0
 #net.ipv4.conf.*.secure_redirects=1
 
+## Enable ARP (Address Resolution Protocol) filtering.
+## Prevents the Linux kernel from handling the ARP table globally
+## Can mitigate some ARP spoofing and ARP cache poisoning attacks.
+## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests.
+##
+## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
+##
+#net.ipv4.conf.*.arp_filter=1
+
 ## Drop gratuitous ARP (Address Resolution Protocol) packets.
 ## Stops ARP responses sent by a device without being explicitly requested.
 ## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.