[Touch-packages] [Bug 1737585] Re: ufw should not override procps' default of net.ipv4.tcp_syncookies=1

Mon, 11 Dec 2017 13:01:13 -0800 

This was actually fixed earlier this year:
http://bazaar.launchpad.net/~jdstrand/ufw/trunk/revision/972 and patched
in Debian and Ubuntu via 0.35-3. I'm going to mark this as Fixed
Released.

Thanks for reporting this bug! :)

** Changed in: ufw (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/1737585

Title:
  ufw should not override procps' default of net.ipv4.tcp_syncookies=1

Status in ufw package in Ubuntu:
  Fix Released

Bug description:
  2008 ufw decided to *disable* TCP SYN cookies by default in
  /etc/ufw/sysctl.conf, see
  https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/189565

  After a more detailed discussion that had started in 2006, procps
  *enabled* TCP SYN cookies by default in  /etc/sysctl.d/10-network-
  security.conf in 2009, see
  https://bugs.launchpad.net/ubuntu/+source/procps/+bug/57091

  No two packages should try to set conflicting defaults on the same
  sysctl without very good reason. This is a funny case where the base
  package procps uses a more secure default (SYN cookies enabled), and
  the firewall package ufw uses a less secure default (SYN cookies
  disabled) - one would expect the other way round. At least I would
  expect ufw not to *weaken* security settings.

  Regarding the question whether or not SYN cookies should be enabled
  (as opposed to the question which package should own this setting): I
  guess that the are lots of systems without ufw, and all of those run
  happily with procps' default net.ipv4.tcp_syncookies=1, or at least I
  could not find any bug reports that complained. The kernel only
  activates the mechanism once it thinks a syn flood is happening, so
  whatever the disadvantages of SYN cookies are, they only kick in under
  these circumstances.

  For all the above reasons I suggest ufw should not touch
  net.ipv4.tcp_syncookies and leave it however it is already set in
  /etc/sysctl.{conf,d/}

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1737585/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to