diff --git a/etc/sysctl.d/tcp_hardening.conf b/etc/sysctl.d/tcp_hardening.conf
index 699fafb..7174c2d 100644
--- a/etc/sysctl.d/tcp_hardening.conf
+++ b/etc/sysctl.d/tcp_hardening.conf
@@ -33,4 +33,9 @@ net.ipv4.tcp_syncookies=1
 net.ipv4.conf.all.accept_source_route=0
 net.ipv4.conf.default.accept_source_route=0
 
+## Enable reverse path filtering to prevent IP spoofing and
+## mitigate vulnerabilities such as CVE-2019-14899.
+net.ipv4.conf.default.rp_filter=1
+net.ipv4.conf.all.rp_filter=1
+
 #### meta end