[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TCP Flags question
On Mon, Dec 09, 2002 at 06:32:01PM -0500, Small, Jim wrote:
> So if you add just flags S/SA, that does allow ECN, right?
Yes. Any flag not part of the set after the slash is ignored.
> May I ask why you prefer S/SAFR vs. S/SA or S/SAFPRU?
> Does anyone else have other flag combinations they like?
I like S/SA, but then I don't care if someone creates state with SYN+FIN
or SYN+RST, and I see no harm in SYN+PSH or SYN+URG at all. And I don't
care whether anyone successfully fingerprints my filter.
If you're curious, tcpdump your connections for a while and see what
flags come with SYN on legitimate connections...