From af1d06973bdd46af3e39b0bdfda81b950ccac996 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Thu, 19 Dec 2024 10:31:43 +0000
Subject: [PATCH] Set `net.ipv4.conf.*.arp_filter=1`

---
 README.md                               | 3 +--
 usr/lib/sysctl.d/990-security-misc.conf | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index df12ba2..54a793a 100644
--- a/README.md
+++ b/README.md
@@ -105,8 +105,7 @@ Networking:
 - Optional - Deny sending and receiving shared media redirects to reduce
   the risk of IP spoofing attacks.
 
-- Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP
-  cache poisoning attacks.
+- Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks.
 
 - Optional - Respond to ARP requests only if the target IP address is
   on-link, preventing some IP spoofing attacks.
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 4cf6bb6..fd3ce59 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -460,7 +460,7 @@ net.ipv6.conf.*.accept_redirects=0
 ##
 ## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
 ##
-#net.ipv4.conf.*.arp_filter=1
+net.ipv4.conf.*.arp_filter=1
 
 ## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link.
 ## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses.