mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-23 01:13:40 +07:00
Provide option to enable ARP filtering
This commit is contained in:
parent
c2aae73ce1
commit
a25d4f8df8
@ -102,6 +102,9 @@ Networking:
|
||||
- Disable ICMP redirect acceptance and redirect sending messages to prevent
|
||||
man-in-the-middle attacks and minimize information disclosure.
|
||||
|
||||
- Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP
|
||||
cache poisoning attacks.
|
||||
|
||||
- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
|
||||
via man-in-the-middle and denial-of-service attacks.
|
||||
|
||||
|
@ -443,6 +443,15 @@ net.ipv4.conf.*.send_redirects=0
|
||||
net.ipv6.conf.*.accept_redirects=0
|
||||
#net.ipv4.conf.*.secure_redirects=1
|
||||
|
||||
## Enable ARP (Address Resolution Protocol) filtering.
|
||||
## Prevents the Linux kernel from handling the ARP table globally
|
||||
## Can mitigate some ARP spoofing and ARP cache poisoning attacks.
|
||||
## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests.
|
||||
##
|
||||
## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
|
||||
##
|
||||
#net.ipv4.conf.*.arp_filter=1
|
||||
|
||||
## Drop gratuitous ARP (Address Resolution Protocol) packets.
|
||||
## Stops ARP responses sent by a device without being explicitly requested.
|
||||
## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.
|
||||
|
Loading…
Reference in New Issue
Block a user