1

Well, I didn't know exactly how to ask this question, but I know that you can use the keyword flags to especify which flags you want to filter.

According to the documentation of the Packet filter:

To have PF inspect the TCP flags during evaluation of a rule, the flags keyword is used with the following syntax:

flags check/mask flags any

The mask part tells PF to only inspect the specified flags and the check part specifies which flag(s) must be "on" in the header for a match to occur. Using the any keyword allows any combination of flags to be set in the header.

pass in on fxp0 proto tcp from any to any port ssh flags S/SA pass in on fxp0 proto tcp from any to any port ssh

As flags S/SA is set by default, the above rules are equivalent, Each of these rules passes TCP traffic with the SYN flag set while only looking at the SYN and ACK flags. A packet with the SYN and ECE flags would match the above rules, while a packet with SYN and ACK or just ACK would not.

So, I understood the example and why the packet with the flags S and E can pass (because the E flag is not considered due to the mask SA) and why the packet with only the Ack flag can't pass the firewall.

What I didn't understand is why the packet with the flags S and A can't pass the rule S/SA, if the flag S is "on" in the packet header. Maybe the documentation is ambiguous? Sorry if this is a stupid question or an english misunderstood.

I imagine that it can only pass if it MUST HAS ONLY the flag S. In set arithmetic would be something like this:

flag(s) must be 'on' in the header -> flag(s) pertains to the masked subset [pf doc] only the flag(s) must be 'on' in the header -> flag(s) is egual to the masked subset [what I understood from the example given]

Thanks in advance!

Davi Sampaio
  • 111
  • 2

1 Answers1

0

This means that you're looking at two flags S & A but you match if and only if S is "on" AND A is "off".

flags S/SA

 ---------------
| S | A | Match |
 ---|---|-------
| 0 | 0 | No    |
| 0 | 1 | No    |
| 1 | 0 | Yes   |
| 1 | 1 | No    |
 ---------------

If you want to match when both SA flags are "on", you'll use flags SA/SA.

flags SA/SA

 ---------------
| S | A | Match |
 ---|---|-------
| 0 | 0 | No    |
| 0 | 1 | No    |
| 1 | 0 | No    |
| 1 | 1 | Yes   |
 ---------------
Spack
  • 1,594
  • 13
  • 22
  • This is what I was thinking after looking the example @Spack . Don't you agree the documentation is ambiguous? It says that the flag(s) in the check part must be 'on' in the header. So the case you pointed when you have S and A, would also match. It doesn't say that only the flag(s) in the check part must match – Davi Sampaio Apr 19 '13 at 21:34
  • 1
    I agree with you on that point. As I also use `iptables` on Linux I deducted that the behavior should be similar. – Spack Apr 19 '13 at 21:44