Please enable by default /proc/sys/net/ipv4/tcp_syncookies/tcp_syncookies in sysctl.conf This is the thread of fedora-devel discussing this https://www.redhat.com/archives/fedora-devel-list/2005-January/msg00447.html and Alan Cox's reply https://www.redhat.com/archives/fedora-devel-list/2005-January/msg00483.html Note that this is in conformance with fedora philosophy, to provide good defaults instead of many tools for customizations. When bastille-linux was proposed in fedora-devel to be included in fedora, the conclusion was to see what changes it performs and make them the defaults if it's better for most users. Thanks!
Added in CVS, will be in later builds.
I noticed that the tcp_syncookies setting is no longer included in recent Fedora releases (starting with 10?). The only reference to this I can find is in the initscripts changelog: * Tue Jul 29 2008 Bill Nottingham <notting> - 8.80-1 - Turn off syncookies But that doesn't address *why* the change was made. So I'm curious: Has there been some new development since 2005 that makes enabling syncookies a Really Bad Idea? Were syncookies found to be incompatible with certain functionality in recent Fedora releases?
It was done at the request of the upstream Linux networking stack maintainers (David Miller in particular).
Hrm.. I assume you're referring to this: http://lkml.org/lkml/2008/7/24/51 Perhaps enabling syncookies did at one time completely disable SACK and timestamps, I don't know, but with current kernels, it has no effect on the TCP stack until the SYN queue becomes full: http://lkml.org/lkml/2008/7/24/178 http://lkml.org/lkml/2008/2/5/422 http://groups.google.com/group/linux_net/msg/9261a014825c042f And since 2.6.26, the SACK and window scaling options are preserved on connections saved by syncookies: http://lwn.net/Articles/277146/