ufw should not override procps' default of net.ipv4.tcp_syncookies=1

2008 ufw decided to *disable* TCP SYN cookies by default in /etc/ufw/sysctl.conf, see https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/189565

After a more detailed discussion that had started in 2006, procps *enabled* TCP SYN cookies by default in /etc/sysctl.d/10-network-security.conf in 2009, see https://bugs.launchpad.net/ubuntu/+source/procps/+bug/57091

No two packages should try to set conflicting defaults on the same sysctl without very good reason. This is a funny case where the base package procps uses a more secure default (SYN cookies enabled), and the firewall package ufw uses a less secure default (SYN cookies disabled) - one would expect the other way round. At least I would expect ufw not to *weaken* security settings.

Regarding the question whether or not SYN cookies should be enabled (as opposed to the question which package should own this setting): I guess that the are lots of systems without ufw, and all of those run happily with procps' default net.ipv4.tcp_syncookies=1, or at least I could not find any bug reports that complained. The kernel only activates the mechanism once it thinks a syn flood is happening, so whatever the disadvantages of SYN cookies are, they only kick in under these circumstances.

For all the above reasons I suggest ufw should not touch net.ipv4.tcp_syncookies and leave it however it is already set in /etc/sysctl.{conf,d/}