On Thu, 21 Jun 2001, Reckhard, Tobias wrote:
> Now, the second segment in this sequence, i.e. the first one
> travelling from connection recipient to original sender *has the SYN
> bit set*. So, [snip] then you'd effectively block this second segment
> of the three-way handshake [snip]
Actually, that is incorrect after all. Snippet from "man ipchains":
[!] -y, --syn
Only match TCP packets with the SYN bit set and the
ACK and FIN bits cleared. [snip]
[snip] If the "!" flag precedes the "-y", the sense
of the option is inverted.
So, the ACK SYN packet does not match a -y rule. But, what is still left
a slight bit unclear (to me) is that does ! -y rule match packets
regardless of ACK and/or FIN flags, only looking for "SYN not set"? If
you take the man page text literally, it would mean "only match packets
with SYN cleared, ACK and FIN set" meaning, that it only matches the
very last packet before a connection is dropped (which wouldn't make
_any_ sense at all, unless you wanted to leave connections hanging until
a timeout occurs).
.pi.
--
Petteri Lyytinen + [EMAIL PROTECTED] + http://www.cs.tut.fi/~typo/
"Close friends are the true angels who lift you up on your feet when
your wings don't remember how to fly."
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
