Enable ARP filtering

[raja-grewal]

As per #279 (comment).

Changes

Set sysctl net.ipv4.conf.*.arp_filter=1

Mandatory Checklist

• Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements:

Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

Optional Checklist

The following items are optional but might be requested in certain cases.

• I have tested it locally
• I have reviewed and updated any documentation if relevant
• I am providing new code and test(s) for it

[ArrayBolt3]

I may just be getting confused by the legitimately difficult-to-understand documentation for arp_ignore in Linux, but I don't see anything this option does that arp_ignore=2 doesn't already do. Personally though, I'm fine with enabling it though as a form of defense-in-depth (if a bug in Linux causes one option to just not work, the other one may be able to keep the system from becoming vulnerable anyway).

I do worry about how this and arp_ignore=2 may affect bridged networking under VirtualBox and libvirt. Won't these options prevent the VM from being able to find the IP addresses of any other device on the local network? If so, it may still be worth it to break that, but only if we document how to unbreak it and support doing so.