On Mon, Dec 09, 2002 at 06:32:01PM -0500, Small, Jim wrote: > So if you add just flags S/SA, that does allow ECN, right?
Yes. Any flag not part of the set after the slash is ignored. > May I ask why you prefer S/SAFR vs. S/SA or S/SAFPRU? > > Does anyone else have other flag combinations they like? > > Daniel? I like S/SA, but then I don't care if someone creates state with SYN+FIN or SYN+RST, and I see no harm in SYN+PSH or SYN+URG at all. And I don't care whether anyone successfully fingerprints my filter. If you're curious, tcpdump your connections for a while and see what flags come with SYN on legitimate connections... Daniel
