2014-06-05 16:38:03 |
Stoyan Stoyanov |
description |
Setting system variables in a non-standard location is a bit confusing. Please consider moving sysctl.conf in /etc/sysctl.d where precedence can be easily determined.
For example, UFW sets tcp_syncookies to 0 since:
# Change to '1' to enable TCP/IP SYN cookies This disables TCP Window Scaling
# (http://lkml.org/lkml/2008/2/5/167)
, but at the same time tcp_syncookies is set to 1 in /etc/sysctl.d/10-network-security.conf due to:
# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss
# of TCP functionality/features under normal conditions. When flood
# protections kick in under high unanswered-SYN load, the system
# should remain more stable, with a trade off of some loss of TCP
# functionality/features (e.g. TCP Window scaling).
In this case the variable setting at the usual places (/etc/sysctl.conf and /etc/sysctl.d/) shows one thing while the live system variable is set differently and you are left wondering which package/config/script is responsible for it.
BTW, the system-wide setting for tcp_syncookies as provided by the procps package in /etc/sysctl.d/10-network-security.conf seems to be more reasonable.
ufw 0.34~rc-0ubuntu2
Ubuntu 14.04 LTS |
Setting system variables in a non-standard location is a bit confusing. Please consider moving /etc/ufw/sysctl.conf in /etc/sysctl.d where precedence can be easily determined.
For example, UFW sets tcp_syncookies to 0 since:
# Change to '1' to enable TCP/IP SYN cookies This disables TCP Window Scaling
# (http://lkml.org/lkml/2008/2/5/167)
, but at the same time tcp_syncookies is set to 1 in /etc/sysctl.d/10-network-security.conf due to:
# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss
# of TCP functionality/features under normal conditions. When flood
# protections kick in under high unanswered-SYN load, the system
# should remain more stable, with a trade off of some loss of TCP
# functionality/features (e.g. TCP Window scaling).
In this case the variable setting at the usual places (/etc/sysctl.conf and /etc/sysctl.d/) shows one thing while the live system variable is set differently and you are left wondering which package/config/script is responsible for it.
BTW, the system-wide setting for tcp_syncookies as provided by the procps package in /etc/sysctl.d/10-network-security.conf seems to be more reasonable.
ufw 0.34~rc-0ubuntu2
Ubuntu 14.04 LTS |
|