FWIW Although syncookies has long-since been enabled upstream, the
outdated comments in sysctl about syncookies still persist, I have now
created new ubuntu bug #1773157 [please comment there].
[This also requests ECN-on-outgoing enablement which has similarly
matured etc.].
--
You
I filed a request for ufw not to override
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1737585
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to procps in Ubuntu.
https://bugs.launchpad.net/bugs/57091
Title:
Will do, Simon.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to procps in Ubuntu.
https://bugs.launchpad.net/bugs/57091
Title:
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to
permit SYN flood
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
> Bog standard 16.04 has it turned on (from the above referenced 10
> -network-security.conf).
> But, if you then enabled ufw, it gets disabled, due to the default
> setting in /etc/ufw/sysctl.conf.
> There seems to be serious debate as to whether
Well, and it gets more interesting.
Bog standard 16.04 has it turned on (from the above referenced 10
-network-security.conf).
But, if you then enabled ufw, it gets disabled, due to the default
setting in /etc/ufw/sysctl.conf.
There seems to be serious debate as to whether or not enabling it is
Here is the entry from ...10-network-security.conf from 16.04 (although
from Desktop edition)
"
# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss
# of TCP functionality/features under normal conditions. When flood
# protections kick in under high unanswered-SYN load, the
Upstream kernel have decided to enable syncookies by default (according to that
debian bug, since Linux 2.6.37!).
This makes sense, as the main downsides have already been resolved (especially
window scaling even under syncookies-activation), and this feature only
kicks-in if the SYN-queue is
7 matches
Mail list logo
