From: Jorge Davila <davila@nicaraguaopensource.com>
To: Franck Joncourt <franck.joncourt@wanadoo.fr>,
netfilter@lists.netfilter.org
Subject: Re: SYN/ACK and NEW packets
Date: Sat, 04 Aug 2007 14:26:12 -0600 [thread overview]
Message-ID: <web-22036612@bk3.webmaillogin.com> (raw)
In-Reply-To: <20070804192109.GB4205@sid.toystory.lan>
Well, in the three-way handshake the flags in the packets are:
1) syn packet sent by the client
2) syn,ack sent by the server
3) ack sent by the client
The packets in the NEW state for a statefull firewall (as iptables) are
packets that belongs to a new "data stream", marked with the syn flag.
The packets in the INVALID state are packets, in your case specifically,
that implies a new "data stream" (or more properly, packets that does not
belongs to a connection previously ESTABLISHED or to a connection RELATED to
a connection previously ESTABLISHED) but this new "data stream" is not
negotiating for open a new socket, is just sending "data".
To extend the analogy of the three-way handshake, someone is trying to shake
your hand but you see the persone until you have the sense of the other hand
in your hand, then you are surprised, retire your hand and face the other
person trying to recognize who is, does not shake his hand and does not
speak to him.
In fact, there are 0 packets with the state NEW with the flags
FIN,SYN,RST,ACK/SYN,ACK because the packets that you sent does not have the
right flags to be considered a valid packets to open a new connection.
Jorge.
On Sat, 4 Aug 2007 21:21:09 +0200
Franck Joncourt <franck.joncourt@wanadoo.fr> wrote:
> Hi,
>
> Looking at this :
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html#SYNACKANDNEW
>
> I understand that in order to prevent my ip address from being spoofed,
> I should reject NEW packets with the SYN/ACK flags set and the others
> cleared.
>
> However, with the following nmap command I have tried to check it out :
>
> nmap --scanflags SYNACK 192.168.0.1
>
> all packets are known to be in the INVALID state rather than in the NEW
> state.
>
> state NEW tcp flags:FIN,SYN,RST,ACK/SYN,ACK -> 0 packet
> state INVALID tcp flags:FIN,SYN,RST,ACK/SYN,ACK -> 170 packets
>
> They talk about sequence number, as well, in the document, but I can't
> figure out what difference it makes.
>
> Did I miss anything ?
>
> --
>Franck Joncourt
> http://www.debian.org - http://smhteam.info/wiki/
> GPG server : pgpkeys.mit.edu
>Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
Jorge Isaac Davila Lopez
Nicaragua Open Source
+505 430 5462
davila@nicaraguaopensource.com
next prev parent reply other threads:[~2007-08-04 20:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-04 19:21 SYN/ACK and NEW packets Franck Joncourt
2007-08-04 20:26 ` Jorge Davila [this message]
2007-08-06 18:20 ` Franck Joncourt
2007-08-06 23:35 ` Jorge Davila
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=web-22036612@bk3.webmaillogin.com \
--to=davila@nicaraguaopensource.com \
--cc=franck.joncourt@wanadoo.fr \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox