Red Hat Bugzilla – Bug 145201
enable tcp_syncookies by default
Last modified: 2014-03-16 22:51:50 EDT
Please enable by default
This is the thread of fedora-devel discussing this
and Alan Cox's reply
Note that this is in conformance with fedora philosophy, to provide
good defaults instead of many tools for customizations. When
bastille-linux was proposed in fedora-devel to be included in fedora,
the conclusion was to see what changes it performs and make them the
defaults if it's better for most users.
Added in CVS, will be in later builds.
I noticed that the tcp_syncookies setting is no longer included in recent Fedora releases (starting with 10?). The only reference to this I can find is in the initscripts changelog:
* Tue Jul 29 2008 Bill Nottingham <firstname.lastname@example.org> - 8.80-1
- Turn off syncookies
But that doesn't address *why* the change was made. So I'm curious: Has there been some new development since 2005 that makes enabling syncookies a Really Bad Idea? Were syncookies found to be incompatible with certain functionality in recent Fedora releases?
It was done at the request of the upstream Linux networking stack maintainers (David Miller in particular).
Hrm.. I assume you're referring to this:
Perhaps enabling syncookies did at one time completely disable SACK and timestamps, I don't know, but with current kernels, it has no effect on the TCP stack until the SYN queue becomes full:
And since 2.6.26, the SACK and window scaling options are preserved on connections saved by syncookies: