Hi,
After sending you my list I found some bugs. :D
We have the following flags:
(http://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure)
URG, ACK, PSH, RST, SYN, FIN
There are 64 (=2 to the power 6) variations possible.
So here is my new INVALID list:
ACK,SYN,FIN,RST NONE --> -4 variations. (PSH and URG never should be
set alone.)
RST,SYN RST,SYN --> -16 variations.
RST,FIN RST,FIN --> -8 variations.
SYN,FIN SYN,FIN --> -8 variations.
After this we have 28 "valid" variations.
If we do not check PSH and URG flags then only these 7 combinations are
valid:
RST
FIN
SYN
ACK
ACK-RST
ACK-FIN
ACK-SYN
I do not know if there is any restrictions of using PSH and URG flags...
In three-way handshake we see: SYN, SYN-ACK, ACK.
In connection termination: FIN, ACK, FIN-ACK.
Check this too: http://kerneltrap.org/node/3072
Swifty
JC Janos írta:
Gaspar,
2008/11/25 Gáspár Lajos <swifty@xxxxxxxxxxx>:
Hi!
I use the following five combination to filter bogous packets:
Why those in particular, and not the others? Your set also adds one
mask/comp pair,
RST,FIN RST,FIN
It seems that just about every example uses a different combination of
fragment rules. I'm simply wondering what the logic in choosing one
over the other is.
Is there maybe some documentation you can point to?
--JC
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
