From 695c572993e9333507c235aebc602848c76039ce Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 18 Apr 2024 21:11:44 +0000
Subject: [PATCH] sysctl: Conntrack: Disable picking up loose TCP connections

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/etc/sysctl.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 51a804043..819076b80 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -35,6 +35,9 @@ net.ipv6.conf.default.disable_ipv6 = 1
 net.ipv6.conf.all.accept_redirects = 0
 net.ipv6.conf.default.accept_redirects = 0
 
+# Do not try to pick up existing TCP connections in conntrack
+net.netfilter.nf_conntrack_tcp_loose = 0
+
 # Enable netfilter accounting
 net.netfilter.nf_conntrack_acct = 1
 
-- 
2.39.5