diff --git a/etc/sysctl.d/60-airsnitch.conf b/etc/sysctl.d/60-airsnitch.conf
new file mode 100644
index 00000000..2df0a849
--- /dev/null
+++ b/etc/sysctl.d/60-airsnitch.conf
@@ -0,0 +1,10 @@
+# 2026-02-27 https://github.com/vanhoefm/airsnitch/blob/main/README.md#id-defense-filter-bcast
+# Client operating systems should by default drop unicast IP packets in layer
+# 2 broadcast/multicast frames.
+net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1
+net.ipv6.conf.all.drop_unicast_in_l2_multicast = 1
+# "legacy" interface names likely existing on my system
+net.ipv4.conf.eth0.drop_unicast_in_l2_multicast = 1
+net.ipv6.conf.eth0.drop_unicast_in_l2_multicast = 1
+net.ipv4.conf.wlan0.drop_unicast_in_l2_multicast = 1
+net.ipv6.conf.wlan0.drop_unicast_in_l2_multicast = 1