On Fri, 06 Oct 2000, Andreas Schuldei wrote: > Why isn't > /proc/sys/net/ipv4/tcp_syncookies > =1 in the default install? Because it causes problems, and even the kernel people who designed it think it is best to leave the thing disabled by default (which IS the reason why it is not enabled by default). You should search the -devel archives for past threads on this issue, I think, or search the linux-devel archives if you really want more info. > What drawbacks would that have? Would it not increase protection and security? tcp syncookies are somewhat like extremely strong medicine. It tries to kill the disease faster than it kills you :-) The short version is that tcp syncookies may cause high-traffic hosts to leave clients hanging for no good reason, AFAIK. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
Attachment:
pgpZQwVHhHpBc.pgp
Description: PGP signature