TCP flags

We decide to create an allow list of tcp flags on router to block some attacks.
What is the flags used on TCP traffics for normal web sites / ftp / mail ....etc.


I am loooking for a list of normal tcp traffic's flags for this type of traffics
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tcp flags are about TCP connections, no matter what is inside:
there is example of flags that are needed. other four you can stip away recalculating header checksums.
FireBallITAuthor Commented:
there are too many type of tcp flags
but what i want to learn is which ones are required for normal tcp traffics.


for example i have never seen a
on a web traffic
PF takes letters, you need to convert them to IPTABLES masks. S/SAFR -> init connection SA/SAFR -> accept it A/SAFR or nothing /SAFR -> keep state longer F/SAFR R/SAFR-> kill the state quicker.
Other flags can be ignored or even masked out.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

FireBallITAuthor Commented:
Actually i plan to block the unnecsseary flags on router
There is no difference in flag semantics between higher level protocols.
You can specify comma separated list of flags and handy iptables makes bit mask out of it.
FireBallITAuthor Commented:
I should not figure out to which hex is optional to allow for ex. 0x05 is not a used flag which flags do you advice me to allow i will block rest
You should not block them, you need to zero those you dont need
You need only SAFR to maintain TCP connection
S -> init
SA -> accept
- or A -> continue
- or A and F or R -> end of connection
other four can be cleaned out (i.e zeroed out) or ignored.
and weird combinations of SAFR should be discarded as unseen.
FireBallITAuthor Commented:
No i have options on my router to block TCP flages for destination address prefixes.

for i have only allowed 0x02 and 0x10 and it works perfect but also i tryed a TS3 server on  
they are working good
but FTP  not working
Probably it uses push flag and you drop the packet...
FireBallITAuthor Commented:
Actually if i find a way as this then there wont be a problem as we talked on other question
FTP is ugly protocol - it uses 2 connections and the second might be initiated from server or from client.
Modern extension is encrypting the control connection where no firewall can guess the 2nd connection.
FireBallITAuthor Commented:
but does it make sense to have 2 or 1000 connections
The second connection is not on standard ports. Usually >1024 to >1024 either way.
FireBallITAuthor Commented:
but i am not talking about ports , i am talking about flags
There are no special flags set by rhel6 ftp or filezilla for data connection. I suspect it is blocked because of ports not because of flags. Can you verify with tcpdump on client?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.