On Mon, 21 Aug 2006, Jeremy Vies wrote: > I think "tcp_syncookies" is considered as part of the FW mechanism of the > kernel. > As Dapper (and previous releases) does not provide any FW out of the box, it > is normal that tcp_syncookies are not activated by default. > Your bug repport should be put as a wish for next release, and maybe linked > to bug about the "missing FW" in Ubuntu. Urrm... Well a firewall addon is another matter... That is for blocking ports and particular hosts and soforth.....
Ubuntu (sensibly) starts with no 'open ports' (except on 127.0.0.1) unless you add a service or install a LAMP server... It doesnt need a firewall for a lot of cases -- firewall just adds needless extra complexity.... Just dont start services you dont want. Only need to add a firewall if you want to control access of particular IP addresses and soforth... But w/o syncookies your VNC or SSH or Samba-shares or whatever can be trivially DoSed from low-bandwidth-connection which is rather silly really. I understand they dont actually change anything about TCP behaviour until there are too many SYN_RECVD entries, at which point the syncookies 'kick in' permitting access to your TCP servers which under continuing SYN flood.... --enyc <[EMAIL PROTECTED]> -- proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense... https://launchpad.net/bugs/57091 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
