Comment 6 for bug 57091

Jeremy,
I can confirm that SYNcookies are NOT part of the firewall mechanism of the kernel.

CONFIG_NETFILTER option in linux 2.6 is the toggle for linux packet filtering support called 'netfilter'(iptables)... There are many sub-choices/options for netfilter.

CONFIG_SYN_COOKIES however is a different choice, that allows you to enable/disable compiling support for SYNcookies SYN-flood-defense support.

Please also note that you generally cannot properly 'firewall out' a typical spoofed-source SYN flood without preventing legitimate access to your server.