ufw should not override procps' default of net.ipv4.tcp_syncookies=1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
2008 ufw decided to *disable* TCP SYN cookies by default in /etc/ufw/
After a more detailed discussion that had started in 2006, procps *enabled* TCP SYN cookies by default in /etc/sysctl.
No two packages should try to set conflicting defaults on the same sysctl without very good reason. This is a funny case where the base package procps uses a more secure default (SYN cookies enabled), and the firewall package ufw uses a less secure default (SYN cookies disabled) - one would expect the other way round. At least I would expect ufw not to *weaken* security settings.
Regarding the question whether or not SYN cookies should be enabled (as opposed to the question which package should own this setting): I guess that the are lots of systems without ufw, and all of those run happily with procps' default net.ipv4.
For all the above reasons I suggest ufw should not touch net.ipv4.
This was actually fixed earlier this year: http:// bazaar. launchpad. net/~jdstrand/ ufw/trunk/ revision/ 972 and patched in Debian and Ubuntu via 0.35-3. I'm going to mark this as Fixed Released.
Thanks for reporting this bug! :)