TCP flags

We decide to create an allow list of tcp flags on router to block some attacks.
What is the flags used on TCP traffics for normal web sites / ftp / mail ....etc.

0x02
0x10
.....
etc


I am loooking for a list of normal tcp traffic's flags for this type of traffics
FireBallITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
tcp flags are about TCP connections, no matter what is inside:
http://www.openbsd.org/faq/pf/filter.html#tcpflags
there is example of flags that are needed. other four you can stip away recalculating header checksums.
0
FireBallITAuthor Commented:
there are too many type of tcp flags
http://rapid.web.unc.edu/resources/tcp-flag-key/
but what i want to learn is which ones are required for normal tcp traffics.

http
ftp
ssh
sftp
imap
pop
....etc.


for example i have never seen a
0x9B FIN-SYN-PSH-ACK-CWR
on a web traffic
0
gheistCommented:
PF takes letters, you need to convert them to IPTABLES masks. S/SAFR -> init connection SA/SAFR -> accept it A/SAFR or nothing /SAFR -> keep state longer F/SAFR R/SAFR-> kill the state quicker.
Other flags can be ignored or even masked out.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

FireBallITAuthor Commented:
Actually i plan to block the unnecsseary flags on router
0
gheistCommented:
There is no difference in flag semantics between higher level protocols.
You can specify comma separated list of flags and handy iptables makes bit mask out of it.
0
FireBallITAuthor Commented:
I should not figure out to which hex is optional to allow for ex. 0x05 is not a used flag which flags do you advice me to allow i will block rest
0
gheistCommented:
You should not block them, you need to zero those you dont need
You need only SAFR to maintain TCP connection
S -> init
SA -> accept
- or A -> continue
- or A and F or R -> end of connection
other four can be cleaned out (i.e zeroed out) or ignored.
and weird combinations of SAFR should be discarded as unseen.
0
FireBallITAuthor Commented:
No i have options on my router to block TCP flages for destination address prefixes.

for www.ddos-service.com i have only allowed 0x02 and 0x10 and it works perfect but also i tryed a TS3 server on 178.20.229.146  
they are working good
but FTP  not working
0
gheistCommented:
Probably it uses push flag and you drop the packet...
0
FireBallITAuthor Commented:
Actually if i find a way as this then there wont be a problem as we talked on other question
0
gheistCommented:
FTP is ugly protocol - it uses 2 connections and the second might be initiated from server or from client.
Modern extension is encrypting the control connection where no firewall can guess the 2nd connection.
0
FireBallITAuthor Commented:
but does it make sense to have 2 or 1000 connections
0
gheistCommented:
The second connection is not on standard ports. Usually >1024 to >1024 either way.
0
FireBallITAuthor Commented:
but i am not talking about ports , i am talking about flags
0
gheistCommented:
There are no special flags set by rhel6 ftp or filezilla for data connection. I suspect it is blocked because of ports not because of flags. Can you verify with tcpdump on client?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
TCP/IP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.