From 02096f8d7c7ee1f61285cf96564616f2828aa6c2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 5 Oct 2019 13:13:46 +0000 Subject: [PATCH] Revert "undo Disabling TCP SACK, DSACK, FACK" This reverts commit 5fb4eb8e561e7c37cea977072944501fc32ee883. --- debian/control | 2 ++ debian/security-misc.maintscript | 3 --- etc/sysctl.d/tcp_sack.conf | 5 +++++ 3 files changed, 7 insertions(+), 3 deletions(-) create mode 100644 etc/sysctl.d/tcp_sack.conf diff --git a/debian/control b/debian/control index 8ccc838..461f477 100644 --- a/debian/control +++ b/debian/control @@ -43,6 +43,8 @@ Description: enhances misc security settings * The TCP/IP stack is hardened. . * This package makes some data spoofing attacks harder. + . + * SACK is disabled as it is commonly exploited and is rarely used. . * This package disables the merging of slabs of similar sizes to prevent an attacker from exploiting them. diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index c15d00e..2c93164 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -8,6 +8,3 @@ rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg ## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079 rm_conffile /etc/sysctl.d/sysrq.conf - -## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5 -rm_conffile /etc/sysctl.d/tcp_sack.conf diff --git a/etc/sysctl.d/tcp_sack.conf b/etc/sysctl.d/tcp_sack.conf new file mode 100644 index 0000000..f949105 --- /dev/null +++ b/etc/sysctl.d/tcp_sack.conf @@ -0,0 +1,5 @@ +# Disables SACK as it is commonly exploited and likely not needed. +# https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109 +net.ipv4.tcp_sack=0 +net.ipv4.tcp_dsack=0 +net.ipv4.tcp_fack=0