Subject: Re: ipfilter and service specific TCP flags
To: None <firstname.lastname@example.org>
From: Charles Swiger <email@example.com>
Date: 11/02/2006 17:03:17
On Nov 2, 2006, at 3:24 PM, firstname.lastname@example.org wrote:
> Maybe i've just not been looking hard enough or haven't found the
> information yet. However, does anyone know of a list or solid
> documentation regarding which TCP flags need to be set for various
> services like SSH, SMTP, HTTP, etc?
All of the services you've mentioned are TCP-based, and that protocol
is defined in RFC-793.
> Perhaps i missed something in the RFC for the SSH protocol, but i
> didn't find what i was looking for in there. It seems that flags S/
> SA are okay for SSH and HTTP. It would be great to find out for
> sure though.
It's normal for them to use SYN, ACK, FIN, PUSH, and URG.
It's reasonable for a firewall to block certain combinations,
especially those used by the NMAP or other flavors of port-scanner:
null flags (nmap test 2), SYN+ECE (nmap T1), SYN+FIN (T/TCP or odd
scanner), FIN+URG+PUSH (nmap Xmas scan aka T7), and SYN+FIN+URG+PUSH