On Mon, Dec 09, 2002 at 06:06:03PM -0500, Small, Jim wrote: > I have a question about TCP flags. I read through the FAQ (see, it actually > *is* useful!) and it cleared it up somewhat. > > So, if you add a TCP-based rule with flags S/SA, it will allow an initial > "SYN" packet, but deny an initial packet with both the SYN and ACK flags > set?
yup. > e.g. pass in on $ExtIF inet proto tcp from any to any port $Services \ > flags S/SA keep state > (From the FAQ) > > If this is correct, then once a SYN packet is sent, a state entry is set up > (with a timeout) that allows the corresponding SYN-ACK back (from the > target) and then the final SYN-ACK from the session initiator to establish > the TCP session? Is this right? yup. > Also, is flags S/SAFPRU better than flags S/SA? I don't buy that. S/SAFR perhaps. I think the advantage of filtering on flags is overestimated. > Why is using flags S by itself so bad? because you filter connection attempts from ECN capable hosts (E bit set). > What is modulate state? tcp sequence numbers are replaced. it's to protect machines/apllicances with weak sequence numbers.
