[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: TCP Flags question



Thanks Henning.
So if you add just flags S/SA, that does allow ECN, right?
May I ask why you prefer S/SAFR vs. S/SA or S/SAFPRU?
Does anyone else have other flag combinations they like?
Daniel?
<> Jim
-----Original Message-----
 On Mon, Dec 09, 2002 at 06:06:03PM -0500, Small, Jim wrote:
> I have a question about TCP flags.  I read through the FAQ (see, it
actually
> *is* useful!) and it cleared it up somewhat.
> 
> So, if you add a TCP-based rule with flags S/SA, it will allow an initial
> "SYN" packet, but deny an initial packet with both the SYN and ACK flags
> set?
yup.
> e.g.  pass  in on $ExtIF inet proto tcp from any to any port $Services \
> 	flags S/SA keep state
> (From the FAQ)
> 
> If this is correct, then once a SYN packet is sent, a state entry is set
up
> (with a timeout) that allows the corresponding SYN-ACK back (from the
> target) and then the final SYN-ACK from the session initiator to establish
> the TCP session?  Is this right?
yup.
> Also, is flags S/SAFPRU better than flags S/SA?
I don't buy that.
S/SAFR perhaps.
I think the advantage of filtering on flags is overestimated.
> Why is using flags S by itself so bad?
because you filter connection attempts from ECN capable hosts (E bit set).
> What is modulate state?
tcp sequence numbers are replaced. it's to protect machines/apllicances with
weak sequence numbers.