Public bug reported: 2008 ufw decided to *disable* TCP SYN cookies by default in /etc/ufw/sysctl.conf, see https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/189565
After a more detailed discussion that had started in 2006, procps *enabled* TCP SYN cookies by default in /etc/sysctl.d/10-network- security.conf in 2009, see https://bugs.launchpad.net/ubuntu/+source/procps/+bug/57091 No two packages should try to set conflicting defaults on the same sysctl without very good reason. This is a funny case where the base package procps uses a more secure default (SYN cookies enabled), and the firewall package ufw uses a less secure default (SYN cookies disabled) - one would expect the other way round. At least I would expect ufw not to *weaken* security settings. Regarding the question whether or not SYN cookies should be enabled (as opposed to the question which package should own this setting): I guess that the are lots of systems without ufw, and all of those run happily with procps' default net.ipv4.tcp_syncookies=1, or at least I could not find any bug reports that complained. The kernel only activates the mechanism once it thinks a syn flood is happening, so whatever the disadvantages of SYN cookies are, they only kick in under these circumstances. For all the above reasons I suggest ufw should not touch net.ipv4.tcp_syncookies and leave it however it is already set in /etc/sysctl.{conf,d/} ** Affects: ufw (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1737585 Title: ufw should not override procps' default of net.ipv4.tcp_syncookies=1 Status in ufw package in Ubuntu: New Bug description: 2008 ufw decided to *disable* TCP SYN cookies by default in /etc/ufw/sysctl.conf, see https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/189565 After a more detailed discussion that had started in 2006, procps *enabled* TCP SYN cookies by default in /etc/sysctl.d/10-network- security.conf in 2009, see https://bugs.launchpad.net/ubuntu/+source/procps/+bug/57091 No two packages should try to set conflicting defaults on the same sysctl without very good reason. This is a funny case where the base package procps uses a more secure default (SYN cookies enabled), and the firewall package ufw uses a less secure default (SYN cookies disabled) - one would expect the other way round. At least I would expect ufw not to *weaken* security settings. Regarding the question whether or not SYN cookies should be enabled (as opposed to the question which package should own this setting): I guess that the are lots of systems without ufw, and all of those run happily with procps' default net.ipv4.tcp_syncookies=1, or at least I could not find any bug reports that complained. The kernel only activates the mechanism once it thinks a syn flood is happening, so whatever the disadvantages of SYN cookies are, they only kick in under these circumstances. For all the above reasons I suggest ufw should not touch net.ipv4.tcp_syncookies and leave it however it is already set in /etc/sysctl.{conf,d/} To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1737585/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
