Merge pull request #279 from raja-grewal/arp

Provide network-related hardening options via `sysctl`'s

README.md

@@ -102,6 +102,18 @@ Networking:
 - Disable ICMP redirect acceptance and redirect sending messages to prevent
   man-in-the-middle attacks and minimize information disclosure.
 
+- Optional - Deny sending and receiving shared media redirects to reduce
+  the risk of IP spoofing attacks.
+
+- Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP
+  cache poisoning attacks.
+
+- Optional - Respond to ARP requests only if the target IP address is
+  on-link, preventing some IP spoofing attacks.
+
+- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
+  via man-in-the-middle and denial-of-service attacks.
+
 - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
 
 - Ignore bogus ICMP error responses.

usr/lib/sysctl.d/990-security-misc.conf

@@ -443,6 +443,48 @@ net.ipv4.conf.*.send_redirects=0
 net.ipv6.conf.*.accept_redirects=0
 #net.ipv4.conf.*.secure_redirects=1
 
+## Deny sending and receiving RFC1620 shared media redirects.
+## Relevant mainly for network interfaces that operate over shared media such as Ethernet hubs.
+## Stops the kernel from sending ICMP redirects to specific networks from the connected network.
+## This variable overrides the use secure_redirects.
+##
+## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
+## https://datatracker.ietf.org/doc/html/rfc1620
+## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html
+##
+#net.ipv4.conf.*.shared_media=0
+
+## Enable ARP (Address Resolution Protocol) filtering.
+## Prevents the Linux kernel from handling the ARP table globally
+## Can mitigate some ARP spoofing and ARP cache poisoning attacks.
+## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests.
+##
+## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
+##
+#net.ipv4.conf.*.arp_filter=1
+
+## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link.
+## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses.
+##
+## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
+## https://github.com/mullvad/mullvadvpn-app/blob/main/audits/2024-12-10-X41-D-Sec.md#mllvd-cr-24-03-virtual-ip-address-of-tunnel-device-leaks-to-network-adjacent-participant-severity-medium
+## https://github.com/mullvad/mullvadvpn-app/pull/7141
+## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf
+##
+#net.ipv4.conf.*.arp_ignore=2
+
+## Drop gratuitous ARP (Address Resolution Protocol) packets.
+## Stops ARP responses sent by a device without being explicitly requested.
+## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.
+## Prevents man-in-the-middle and denial-of-service attacks.
+## May cause breakages when ARP proxies are used in the network.
+##
+## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
+## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/
+## https://www.practicalnetworking.net/series/arp/gratuitous-arp/
+##
+#net.ipv4.conf.*.drop_gratuitous_arp=1
+
 ## Ignore ICMP echo requests.
 ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
 ##