From 8b4f2befd46d4db4d2a83d9e79ebcf9abf98fd02 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Sat, 5 Oct 2019 13:15:34 +0000
Subject: [PATCH] comment out sack by default

https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/8?u=patrick
---
 debian/control             | 3 ++-
 etc/sysctl.d/tcp_sack.conf | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/debian/control b/debian/control
index 461f477..f1cd240 100644
--- a/debian/control
+++ b/debian/control
@@ -44,7 +44,8 @@ Description: enhances misc security settings
  .
   * This package makes some data spoofing attacks harder.
  .
-  * SACK is disabled as it is commonly exploited and is rarely used.
+  * SACK can be disabled as it is commonly exploited and is rarely used by
+ commenting in settings in file /etc/sysctl.d/tcp_sack.conf.
  .
   * This package disables the merging of slabs of similar sizes to prevent an
  attacker from exploiting them.
diff --git a/etc/sysctl.d/tcp_sack.conf b/etc/sysctl.d/tcp_sack.conf
index f949105..7087dc0 100644
--- a/etc/sysctl.d/tcp_sack.conf
+++ b/etc/sysctl.d/tcp_sack.conf
@@ -1,5 +1,5 @@
 # Disables SACK as it is commonly exploited and likely not needed.
 # https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109
-net.ipv4.tcp_sack=0
-net.ipv4.tcp_dsack=0
-net.ipv4.tcp_fack=0
+#net.ipv4.tcp_sack=0
+#net.ipv4.tcp_dsack=0
+#net.ipv4.tcp_fack=0