[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TCP Flags question

> > Also, is flags S/SAFPRU better than flags S/SA?
> I don't buy that.
> S/SAFR perhaps.
> I think the advantage of filtering on flags is overestimated.
I use to use S/SA without much of a thought to it and nmap -O happily said I was
running Openbsd with scrub in all.  Upon changing my rule to a S/SAFPRU you can
nmap -O till you are blue in the face and nmap is clueless.  I think that a
decent advantage.  If you are just writing a rule for inbound connections ie a
webserver and you keep state then S/SAFPRU will make detection of the os
difficult if not impossible (assuming you block all other ports that aren't
open.)  It all falls upon how paranoid you are I suppose.