Re: valid INPUT/OUTPUT rule piece?--> '-p tcp --tcp-flags ACK, FIN FIN -j DROP', etc.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: valid INPUT/OUTPUT rule piece?--> '-p tcp --tcp-flags ACK, FIN FIN -j DROP', etc.
Date: Wed, 26 Jan 2005 14:08:15 -0500	[thread overview]
Message-ID: <20050126190815.GA7187@bender.817west.com> (raw)
In-Reply-To: <20050126052658.GA17112@spawar.navy.mil>

On Tue, Jan 25, 2005 at 09:26:58PM -0800, seberino@spawar.navy.mil wrote:
> Lopsch
> 
> Thanks for your email.  I know a little about TCP flags.
> IIRC, ACK means 'Acknowlegement'
> and FIN means 'Finish Connection'.
> 
> Why would TCP want everyone to turn on ACK when they
> want to finish a connection with FIN?
> 
> I assume that TCP was written to do 2 errands in one
> TCP datagram?...1. acknowledge last datagram received
>                 2. terminate connection
> 
> It seems odd you can't terminate a connection (FIN)
> without also acknowledging something to me.
> 
> Chris

read:
  http://www.tcpipguide.com/free/t_TCPConnectionEstablishmentProcessTheThreeWayHandsh.htm

and:
  http://www.tcpipguide.com/free/t_TCPConnectionTermination.htm

if you want a better understanding of TCP connection setup and
termination and the flags set during each phase.

the quick answer to your question is that an actual OS TCP/IP stack will
always set the ACK bit when sending a FIN, URG, or PSH packet.  FIN,
URG, and PSH packets that are sent without the ACK bit set were probably
generated by some scanner tool (nmap, hping) or by somebody's custom
code (perl script).

-j

--
"Operator! Give me the number for 911!"
        --The Simpsons

next prev parent reply	other threads:[~2005-01-26 19:08 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-26  0:18 valid INPUT/OUTPUT rule piece?--> '-p tcp --tcp-flags ACK, FIN FIN -j DROP', etc seberino
2005-01-26  0:37 ` Lopsch
2005-01-26  5:26   ` seberino
2005-01-26 19:08     ` Jason Opperisano [this message]
2005-01-26 19:40       ` seberino
2005-01-31 20:42       ` seberino
2005-01-31 21:04         ` Jason Opperisano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050126190815.GA7187@bender.817west.com \
    --to=opie@817west.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.