From 30289c68c24a8aa2ce5f336b79f92cffb7aa98c7 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Thu, 5 Dec 2019 20:13:10 +0000
Subject: [PATCH 1/2] Enable reverse path filtering

---
 etc/sysctl.d/tcp_hardening.conf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/etc/sysctl.d/tcp_hardening.conf b/etc/sysctl.d/tcp_hardening.conf
index 699fafb..7174c2d 100644
--- a/etc/sysctl.d/tcp_hardening.conf
+++ b/etc/sysctl.d/tcp_hardening.conf
@@ -33,4 +33,9 @@ net.ipv4.tcp_syncookies=1
 net.ipv4.conf.all.accept_source_route=0
 net.ipv4.conf.default.accept_source_route=0
 
+## Enable reverse path filtering to prevent IP spoofing and
+## mitigate vulnerabilities such as CVE-2019-14899.
+net.ipv4.conf.default.rp_filter=1
+net.ipv4.conf.all.rp_filter=1
+
 #### meta end

From af9e19c51f256504c5c2206e31da1911872b6ef8 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Thu, 5 Dec 2019 20:14:55 +0000
Subject: [PATCH 2/2] Update control

---
 debian/control | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/debian/control b/debian/control
index a464eaf..8a4f6c7 100644
--- a/debian/control
+++ b/debian/control
@@ -43,8 +43,9 @@ Description: enhances misc security settings
   * The TCP/IP stack is hardened by disabling ICMP redirect acceptance,
  ICMP redirect sending and source routing to prevent man-in-the-middle attacks,
  ignoring all ICMP requests, enabling TCP syncookies to prevent SYN flood
- attacks and enabling RFC1337 to protect against time-wait assassination
- attacks.
+ attacks, enabling RFC1337 to protect against time-wait assassination
+ attacks and enabling reverse path filtering to prevent IP spoofing and
+ mitigate vulnerabilities such as CVE-2019-14899.
  .
   * Some data spoofing attacks are made harder.
  .