0
  • Blocking inbound TCP segments with ACK=0
  • Blocking inbound TCP segments with SYN=1

Both prevent external clients from making TCP connections to internal clients, but allow internal clients to connect to outside. How?

This came across to me while I am studying firewalls. How do these work and how do they conclude the inference that we got from this?

ACK=0 would mean something that is not giving acknowledgements. How would we deduce that if we block ACK=0, we would not let external clients to make TCP connections with internal clients? I want to understand this.

Incoming SYN=1 makes a bit of sense to me as it means someone is trying to establish a connection from the outside.

schroeder
  • 123,438
  • 55
  • 284
  • 319
jacnab
  • 1
  • No, incoming SYN=1 is also used in response to an outgoing connection attempt, and blocking it will cause connections to fail; see my comment on the answer. – dave_thompson_085 Dec 04 '21 at 02:26

1 Answers1

0

Only the first packet in the three way TCP handshake cannot contain an ACK. Every subsequent packet should contain an acknowledgement.

Only the first packet in the stream (and handshake sequence) should be a SYN.

Effectively it’s two ways of describing characteristics of the first packet of a TCP stream, just looking at different aspects.

Teun Vink
  • 6,788
  • 2
  • 27
  • 35
  • The first _two_ packets (first from each side) have SYN, and no others. But only the first from the initiator has not-ACK. Blocking input with SYN will block the response to an outgoing connect attempt and cause it to fail, unless this rule is overridden by something like stateful 'established accept' (which many firewalls do). – dave_thompson_085 Dec 04 '21 at 02:26