comment out sack by default

https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/8?u=patrick
2024-10-01 08:25:45 -04:00 · 2019-10-05 13:15:34 +00:00 · 2019-10-05 13:15:34 +00:00 · 8b4f2befd4
commit 8b4f2befd4
parent 02096f8d7c
2 changed files with 5 additions and 4 deletions
--- a/debian/control
+++ b/debian/control
@ -44,7 +44,8 @@ Description: enhances misc security settings
 .
  * This package makes some data spoofing attacks harder.
 .
-  * SACK is disabled as it is commonly exploited and is rarely used.
+  * SACK can be disabled as it is commonly exploited and is rarely used by
+ commenting in settings in file /etc/sysctl.d/tcp_sack.conf.
 .
  * This package disables the merging of slabs of similar sizes to prevent an
 attacker from exploiting them.
--- a/etc/sysctl.d/tcp_sack.conf
+++ b/etc/sysctl.d/tcp_sack.conf
@ -1,5 +1,5 @@
 # Disables SACK as it is commonly exploited and likely not needed.
 # https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109
-net.ipv4.tcp_sack=0
-net.ipv4.tcp_dsack=0
-net.ipv4.tcp_fack=0
+#net.ipv4.tcp_sack=0
+#net.ipv4.tcp_dsack=0
+#net.ipv4.tcp_fack=0