From c2aae73ce161811571e4c85609a0b043399c1b65 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Wed, 13 Nov 2024 05:38:03 +0000
Subject: [PATCH] Add reference and move text

---
 README.md                               |  6 +++---
 usr/lib/sysctl.d/990-security-misc.conf | 23 ++++++++++++-----------
 2 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index 3404414..e167a87 100644
--- a/README.md
+++ b/README.md
@@ -102,6 +102,9 @@ Networking:
 - Disable ICMP redirect acceptance and redirect sending messages to prevent
   man-in-the-middle attacks and minimize information disclosure.
 
+- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
+  via man-in-the-middle and denial-of-service attacks.
+
 - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
 
 - Ignore bogus ICMP error responses.
@@ -121,9 +124,6 @@ Networking:
 
 - Optional - Enable IPv6 Privacy Extensions.
 
-- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
-  via man-in-the-middle and denial-of-service attacks.
-
 ### Boot parameters
 
 Mitigations for known CPU vulnerabilities are enabled in their strictest form
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 2bec703..054dcbf 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -443,6 +443,18 @@ net.ipv4.conf.*.send_redirects=0
 net.ipv6.conf.*.accept_redirects=0
 #net.ipv4.conf.*.secure_redirects=1
 
+## Drop gratuitous ARP (Address Resolution Protocol) packets.
+## Stops ARP responses sent by a device without being explicitly requested.
+## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.
+## Prevents man-in-the-middle and denial-of-service attacks.
+## May cause breakages when ARP proxies are used in the network.
+##
+## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
+## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/
+## https://www.practicalnetworking.net/series/arp/gratuitous-arp/
+##
+#net.ipv4.conf.*.drop_gratuitous_arp=1
+
 ## Ignore ICMP echo requests.
 ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
 ##
@@ -526,14 +538,3 @@ net.ipv4.tcp_timestamps=0
 ## The use of IPv6 Privacy Extensions is currently disabled due to these breakages.
 ##
 #net.ipv6.conf.*.use_tempaddr=2
-
-## Drop gratuitous ARP (Address Resolution Protocol) packets.
-## Stops ARP responses sent by a device without being explicitly requested.
-## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.
-## Prevents man-in-the-middle and denial-of-service attacks.
-## May cause breakages when ARP proxies are used in the network.
-##
-## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/
-## https://www.practicalnetworking.net/series/arp/gratuitous-arp/
-##
-#net.ipv4.conf.*.drop_gratuitous_arp=1