From a1d1f97955fd9fd3cee77dc04e2eb5e5fa29d243 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Fri, 8 Nov 2024 03:58:23 +0000
Subject: [PATCH 1/6] Provide option to drop gratuitous ARP packets

---
 README.md                               |  3 +++
 usr/lib/sysctl.d/990-security-misc.conf | 11 +++++++++++
 2 files changed, 14 insertions(+)

diff --git a/README.md b/README.md
index c23d261..3404414 100644
--- a/README.md
+++ b/README.md
@@ -121,6 +121,9 @@ Networking:
 
 - Optional - Enable IPv6 Privacy Extensions.
 
+- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
+  via man-in-the-middle and denial-of-service attacks.
+
 ### Boot parameters
 
 Mitigations for known CPU vulnerabilities are enabled in their strictest form
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 6009fc4..2bec703 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -526,3 +526,14 @@ net.ipv4.tcp_timestamps=0
 ## The use of IPv6 Privacy Extensions is currently disabled due to these breakages.
 ##
 #net.ipv6.conf.*.use_tempaddr=2
+
+## Drop gratuitous ARP (Address Resolution Protocol) packets.
+## Stops ARP responses sent by a device without being explicitly requested.
+## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.
+## Prevents man-in-the-middle and denial-of-service attacks.
+## May cause breakages when ARP proxies are used in the network.
+##
+## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/
+## https://www.practicalnetworking.net/series/arp/gratuitous-arp/
+##
+#net.ipv4.conf.*.drop_gratuitous_arp=1

From c2aae73ce161811571e4c85609a0b043399c1b65 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Wed, 13 Nov 2024 05:38:03 +0000
Subject: [PATCH 2/6] Add reference and move text

---
 README.md                               |  6 +++---
 usr/lib/sysctl.d/990-security-misc.conf | 23 ++++++++++++-----------
 2 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index 3404414..e167a87 100644
--- a/README.md
+++ b/README.md
@@ -102,6 +102,9 @@ Networking:
 - Disable ICMP redirect acceptance and redirect sending messages to prevent
   man-in-the-middle attacks and minimize information disclosure.
 
+- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
+  via man-in-the-middle and denial-of-service attacks.
+
 - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
 
 - Ignore bogus ICMP error responses.
@@ -121,9 +124,6 @@ Networking:
 
 - Optional - Enable IPv6 Privacy Extensions.
 
-- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
-  via man-in-the-middle and denial-of-service attacks.
-
 ### Boot parameters
 
 Mitigations for known CPU vulnerabilities are enabled in their strictest form
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 2bec703..054dcbf 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -443,6 +443,18 @@ net.ipv4.conf.*.send_redirects=0
 net.ipv6.conf.*.accept_redirects=0
 #net.ipv4.conf.*.secure_redirects=1
 
+## Drop gratuitous ARP (Address Resolution Protocol) packets.
+## Stops ARP responses sent by a device without being explicitly requested.
+## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.
+## Prevents man-in-the-middle and denial-of-service attacks.
+## May cause breakages when ARP proxies are used in the network.
+##
+## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
+## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/
+## https://www.practicalnetworking.net/series/arp/gratuitous-arp/
+##
+#net.ipv4.conf.*.drop_gratuitous_arp=1
+
 ## Ignore ICMP echo requests.
 ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
 ##
@@ -526,14 +538,3 @@ net.ipv4.tcp_timestamps=0
 ## The use of IPv6 Privacy Extensions is currently disabled due to these breakages.
 ##
 #net.ipv6.conf.*.use_tempaddr=2
-
-## Drop gratuitous ARP (Address Resolution Protocol) packets.
-## Stops ARP responses sent by a device without being explicitly requested.
-## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.
-## Prevents man-in-the-middle and denial-of-service attacks.
-## May cause breakages when ARP proxies are used in the network.
-##
-## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/
-## https://www.practicalnetworking.net/series/arp/gratuitous-arp/
-##
-#net.ipv4.conf.*.drop_gratuitous_arp=1

From a25d4f8df88908e83e56049204aa625f1196a948 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Wed, 13 Nov 2024 05:40:21 +0000
Subject: [PATCH 3/6] Provide option to enable ARP filtering

---
 README.md                               | 3 +++
 usr/lib/sysctl.d/990-security-misc.conf | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/README.md b/README.md
index e167a87..baa450d 100644
--- a/README.md
+++ b/README.md
@@ -102,6 +102,9 @@ Networking:
 - Disable ICMP redirect acceptance and redirect sending messages to prevent
   man-in-the-middle attacks and minimize information disclosure.
 
+- Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP
+  cache poisoning attacks.
+
 - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
   via man-in-the-middle and denial-of-service attacks.
 
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 054dcbf..52d31de 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -443,6 +443,15 @@ net.ipv4.conf.*.send_redirects=0
 net.ipv6.conf.*.accept_redirects=0
 #net.ipv4.conf.*.secure_redirects=1
 
+## Enable ARP (Address Resolution Protocol) filtering.
+## Prevents the Linux kernel from handling the ARP table globally
+## Can mitigate some ARP spoofing and ARP cache poisoning attacks.
+## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests.
+##
+## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
+##
+#net.ipv4.conf.*.arp_filter=1
+
 ## Drop gratuitous ARP (Address Resolution Protocol) packets.
 ## Stops ARP responses sent by a device without being explicitly requested.
 ## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.

From 18aec201bfb0477fee8800ad1388099e11920016 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Wed, 13 Nov 2024 05:41:25 +0000
Subject: [PATCH 4/6] Provide option to harden response to ARP requests

---
 README.md                               | 3 +++
 usr/lib/sysctl.d/990-security-misc.conf | 7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/README.md b/README.md
index baa450d..ed9e4d7 100644
--- a/README.md
+++ b/README.md
@@ -105,6 +105,9 @@ Networking:
 - Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP
   cache poisoning attacks.
 
+- Optional - Respond to ARP requests only if the target IP address is
+  on-link, preventing some IP spoofing attacks.
+  
 - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
   via man-in-the-middle and denial-of-service attacks.
 
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 52d31de..a2c3198 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -452,6 +452,13 @@ net.ipv6.conf.*.accept_redirects=0
 ##
 #net.ipv4.conf.*.arp_filter=1
 
+## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link.
+## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses.
+##
+## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
+##
+#net.ipv4.conf.*.arp_ignore=2
+
 ## Drop gratuitous ARP (Address Resolution Protocol) packets.
 ## Stops ARP responses sent by a device without being explicitly requested.
 ## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.

From 141b84c40de76988ec78bdccf1c1d67fc4367b3f Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Wed, 13 Nov 2024 05:42:56 +0000
Subject: [PATCH 5/6] Provide option to deny sending and receiving shared media
 redirects

---
 README.md                               |  5 ++++-
 usr/lib/sysctl.d/990-security-misc.conf | 11 +++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index ed9e4d7..50b3cf0 100644
--- a/README.md
+++ b/README.md
@@ -102,12 +102,15 @@ Networking:
 - Disable ICMP redirect acceptance and redirect sending messages to prevent
   man-in-the-middle attacks and minimize information disclosure.
 
+- Optional - Deny sending and receiving shared media redirects to reduce
+  the risk of IP spoofing attacks.
+
 - Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP
   cache poisoning attacks.
 
 - Optional - Respond to ARP requests only if the target IP address is
   on-link, preventing some IP spoofing attacks.
-  
+
 - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
   via man-in-the-middle and denial-of-service attacks.
 
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index a2c3198..c43ca19 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -443,6 +443,17 @@ net.ipv4.conf.*.send_redirects=0
 net.ipv6.conf.*.accept_redirects=0
 #net.ipv4.conf.*.secure_redirects=1
 
+## Deny sending and receiving RFC1620 shared media redirects.
+## Relevant mainly for network interfaces that operate over shared media such as Ethernet hubs.
+## Stops the kernel from sending ICMP redirects to specific networks from the connected network.
+## This variable overrides the use secure_redirects.
+##
+## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
+## https://datatracker.ietf.org/doc/html/rfc1620
+## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html
+##
+#net.ipv4.conf.*.shared_media=0
+
 ## Enable ARP (Address Resolution Protocol) filtering.
 ## Prevents the Linux kernel from handling the ARP table globally
 ## Can mitigate some ARP spoofing and ARP cache poisoning attacks.

From c1167968542a62d0677517e11505f6e9222ec378 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Thu, 12 Dec 2024 06:36:47 +0000
Subject: [PATCH 6/6] `arp_ignore`: Add reference to 2024-12-10 Mullvad VPN
 audit details

---
 usr/lib/sysctl.d/990-security-misc.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index c43ca19..93efe26 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -467,6 +467,9 @@ net.ipv6.conf.*.accept_redirects=0
 ## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses.
 ##
 ## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
+## https://github.com/mullvad/mullvadvpn-app/blob/main/audits/2024-12-10-X41-D-Sec.md#mllvd-cr-24-03-virtual-ip-address-of-tunnel-device-leaks-to-network-adjacent-participant-severity-medium
+## https://github.com/mullvad/mullvadvpn-app/pull/7141
+## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf
 ##
 #net.ipv4.conf.*.arp_ignore=2