not sure ESTABLISHED TCP traffic will have ACK flag set always...

Christian Seberino seberino at spawar.navy.mil
Fri Apr 8 17:57:24 CEST 2005


Firewall packet filter question.....


**After** setting up a TCP connection, it may seem to make
sense that ALL future packets would set the ACK flag.

(ACK is important in 2 way communication since both sides
need to constantly confirm //receipt// of _past_ packets.)

Therefore, you might think it would be a good idea to
set up you firewall to drop packets on ESTABLISHED
connections that don't have ACK bit set.

However, here is an apparent case where non-ACKs exist!!!...

1. One way traffic!!! --- sender has nothing to ACK!

2. One side sends LESS packets then the other! --
   fast side doesn't have enough incoming to ACK either!

Agree? Why then do people say to drop non-ACK'd packets
as suspicious??.... I would think it would be common
for one side to send more packets then the other.  I could
be wrong.

Chris




More information about the netfilter mailing list