From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 18 Apr 2024 20:30:45 +0000 (+0100)
Subject: sysctl: Conntrack: Disable picking up loose TCP connections
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fheads%2Fsynproxy;p=people%2Fms%2Fipfire-2.x.git

sysctl: Conntrack: Disable picking up loose TCP connections

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 31a220e38..e35ee0dc4 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -35,6 +35,9 @@ net.ipv6.conf.default.disable_ipv6 = 1
 net.ipv6.conf.all.accept_redirects = 0
 net.ipv6.conf.default.accept_redirects = 0
 
+# Do not try to pick up existing TCP connections in conntrack
+net.netfilter.nf_conntrack_tcp_loose = 0
+
 # Enable netfilter accounting
 net.netfilter.nf_conntrack_acct = 1