On Monday 08 March 2004 8:12 pm, David Cannings wrote:
> > 0 0 DROP tcp -- any any anywhere
> > anywhere tcp flags:FIN,ACK/FIN
>
> As I understand it, this means "check the flags FIN and ACK, only match if
> FIN is set and ACK isn't". This would match packets that only have the
> FIN flag set, which I am fairly sure are valid. I may need correcting on
> this issue, however.
You are correct.
TCP connections start with:
packet 1: SYN (only) from the client
packet 2: SYN/ACK from the server
packet 3: ACK from the client
all further packets have the ACK flag set from both client and server
and then they end with
packet n-3: FIN (only) from the side which wants to stop talking
packet n-2: FIN/ACK from the other side
packet n-1: FIN (only) from the other side (to confirm it will stop talking
too)
packet n: FIN/ACK from the side which ended the communication
(Although note that the final two packets are optional and often not seen,
indeed often blocked by netfilter because by that time it thinks the
connection is no longer ESTABLSIHED.)
Regards,
Antony.
--
What is this talk of "software release"?
Our software evolves and matures until it is capable of escape, leaving a
bloody trail of designers and quality assurance people in its wake.
Please reply to the list;
please don't CC me.
