Subject: Re: ipfilter and service specific TCP flags
To: None <>
From: Christian Biere <>
List: netbsd-users
Date: 11/03/2006 00:29:26 wrote:
> Maybe i've just not been looking hard enough or haven't found the 
> information yet. However, does anyone know of a list or solid documentation 
> regarding which TCP flags need to be set for various services like SSH, 
> SMTP, HTTP, etc? 

> Perhaps i missed something in the RFC for the SSH protocol, but i didn't 
> find what i was looking for in there. It seems that flags S/SA are okay for 
> SSH and HTTP. It would be great to find out for sure though.

These flags are specific to TCP but not to any protocol on top of it. You
shouldn't have to worry about any other flags. You should read the RFCs
relevant for TCP, especially RFC 793, if you want to know all the details
regarding these flags.

For each service on a given TCP port you'd typically have a rules like this:

  # inbound (for servers)
  pass in on $DEVICE proto tcp from any to any port = $PORT flags S/SA keep state

  # outbound (for clients)
  pass out on $DEVICE proto tcp from any to any port = $PORT flags S/SA keep state

And that's all you need to permit a given TCP-based protocol. "flags S/SA" matches
a connection initiation and "keep state" takes care of the rest.

There are some examples and additional information in /usr/share/misc/examples/ipf/.