why good to drop *these* TCP flag settings...?....

seberino at spawar.navy.mil seberino at spawar.navy.mil
Tue Apr 5 08:25:53 CEST 2005

Why are these flag combos in iptables rules good to drop???

# Is the explanation for these because SYN starts a
# connection and it doesn't make sense to reset (RST)
# or terminate (FIN) at the same time your initiating (SYN)???
   --tcp-flags SYN,RST SYN,RST -j DROP
   --tcp-flags SYN,FIN SYN,FIN -j DROP

# Is this obvious in that you can't finish (FIN) and
# reset (RST) at the same time?
   --tcp-flags FIN,RST FIN,RST -j DROP

# Can these be explained by simple fact that *ALL* packets
# must have ACK set after connection established?? Is that right?
# (if yes, could we add 'ACK,RST RST' to drop list as well?)
   --tcp-flags ACK,FIN FIN     -j DROP
   --tcp-flags ACK,PSH PSH     -j DROP
   --tcp-flags ACK,URG URG     -j DROP

What would DROP rule look like to protect against Xmas tree scan?
You'd want to drop packets with FIN, PSH and URG /all/ set right?



More information about the netfilter mailing list