On Mon, 21 Aug 2006, Jeremy Vies wrote:
> I think "tcp_syncookies" is considered as part of the FW mechanism of the kernel.
> As Dapper (and previous releases) does not provide any FW out of the box, it is normal that tcp_syncookies are not activated by default.
> Your bug repport should be put as a wish for next release, and maybe linked to bug about the "missing FW" in Ubuntu.
Urrm... Well a firewall addon is another matter...
That is for blocking ports and particular hosts and soforth.....
Ubuntu (sensibly) starts with no 'open ports' (except on 127.0.0.1)
unless you add a service or install a LAMP server...
It doesnt need a firewall for a lot of cases -- firewall just adds
needless extra complexity.... Just dont start services you dont
want. Only need to add a firewall if you want to control access
of particular IP addresses and soforth...
But w/o syncookies your VNC or SSH or Samba-shares or whatever can
be trivially DoSed from low-bandwidth-connection which is rather
silly really. I understand they dont actually change anything
about TCP behaviour until there are too many SYN_RECVD entries,
at which point the syncookies 'kick in' permitting access to
your TCP servers which under continuing SYN flood....
On Mon, 21 Aug 2006, Jeremy Vies wrote:
> I think "tcp_syncookies" is considered as part of the FW mechanism of the kernel.
> As Dapper (and previous releases) does not provide any FW out of the box, it is normal that tcp_syncookies are not activated by default.
> Your bug repport should be put as a wish for next release, and maybe linked to bug about the "missing FW" in Ubuntu.
Urrm... Well a firewall addon is another matter...
That is for blocking ports and particular hosts and soforth.....
Ubuntu (sensibly) starts with no 'open ports' (except on 127.0.0.1)
unless you add a service or install a LAMP server...
It doesnt need a firewall for a lot of cases -- firewall just adds
needless extra complexity.... Just dont start services you dont
want. Only need to add a firewall if you want to control access
of particular IP addresses and soforth...
But w/o syncookies your VNC or SSH or Samba-shares or whatever can connection which is rather
be trivially DoSed from low-bandwidth-
silly really. I understand they dont actually change anything
about TCP behaviour until there are too many SYN_RECVD entries,
at which point the syncookies 'kick in' permitting access to
your TCP servers which under continuing SYN flood....
--enyc <email address hidden>