why good to drop *these* TCP flag settings...?....

Jörg Harmuth harmuth at mnemon.de
Wed Apr 6 14:33:43 CEST 2005

Hash: SHA1

some time ago that I read the RFC, so everything is not to be taken as
"last wisdom" :)

> # Is the explanation for these because SYN starts a # connection
> and it doesn't make sense to reset (RST) # or terminate (FIN) at
> the same time your initiating (SYN)??? --tcp-flags SYN,RST SYN,RST
> -j DROP --tcp-flags SYN,FIN SYN,FIN -j DROP

A packet with SYN set has either no other flags set (starting a
connection, moving to state SYN_SENT) or has an additional ACK set
(moving from state SYN_RECIEVED to ESTABLISHED). So these combinations
of flags are impossible in normal TCP/IP communication. Chances are
good, that you are scanned.

> # Is this obvious in that you can't finish (FIN) and # reset (RST)
> at the same time? --tcp-flags FIN,RST FIN,RST -j DROP

Yes, also according to the RFC a RST package can only have an
additional ACK.

> # Can these be explained by simple fact that *ALL* packets # must
> have ACK set after connection established?? Is that right? # (if
> yes, could we add 'ACK,RST RST' to drop list as well?) --tcp-flags
> ACK,FIN FIN -j DROP --tcp-flags ACK,PSH PSH -j DROP
> --tcp-flags ACK,URG URG -j DROP

As far as I remember PSH and URG must be send only with an ACK, but I
can't tell this for sure. The FIN rule will cause trouble sometimes,
at least this is my opinion. Although normally FIN comes along with an
ACK, the RFC states that single FINs may be send (e.g. moving from
ESTABLISHED to FIN_WAIT_1). So with this FIN rule some connections
will not terminate correctly.

> What would DROP rule look like to protect against Xmas tree scan?
> You'd want to drop packets with FIN, PSH and URG /all/ set right?


Any other thoughts ?

Have a nice time,


> Thanks!
> Chris

- --
- -----------------------------------------------------------------------
Jörg Harmuth
Marie-Curie.Str. 1
53359 Rheinbach

Tel.: (+49) 22 26  87 18 12
Fax:  (+49) 22 26 87 18 19
mail: harmuth at mnemon.de
Web:  http://www.mnemon.de
PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
PGP-Fingerprint: 692E 4476 0838 60F8 99E2  7F5D B7D7 E48E 267B 204F
- -----------------------------------------------------------------------
Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
Software untersucht. Es wurde keine maliziöse Software gefunden.

This Mail was checked for virusses and other malicious software before
sending. No malicious software was detected.
- -----------------------------------------------------------------------

Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

More information about the netfilter mailing list