Subject: Re: ipfilter and service specific TCP flags
To: None <>
From: Charles Swiger <>
List: netbsd-users
Date: 11/02/2006 17:03:17
On Nov 2, 2006, at 3:24 PM, wrote:
> Maybe i've just not been looking hard enough or haven't found the  
> information yet. However, does anyone know of a list or solid  
> documentation regarding which TCP flags need to be set for various  
> services like SSH, SMTP, HTTP, etc?

All of the services you've mentioned are TCP-based, and that protocol  
is defined in RFC-793.

> Perhaps i missed something in the RFC for the SSH protocol, but i  
> didn't find what i was looking for in there. It seems that flags S/ 
> SA are okay for SSH and HTTP. It would be great to find out for  
> sure though.

It's normal for them to use SYN, ACK, FIN, PUSH, and URG.

It's reasonable for a firewall to block certain combinations,  
especially those used by the NMAP or other flavors of port-scanner:  
null flags (nmap test 2), SYN+ECE (nmap T1), SYN+FIN (T/TCP or odd  
scanner), FIN+URG+PUSH (nmap Xmas scan aka T7), and SYN+FIN+URG+PUSH  
(nmap T3).