[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: flags S/SA vs flags S

To: Otto Moerbeek <otto@drijf.net>
Subject: Re: flags S/SA vs flags S
From: kjell@pintday.org
Date: Tue, 23 Jul 2002 13:29:05 -0600
Cc: Chris Kuethe <ckuethe@ualberta.ca>, misc@OpenBSD.org

> So the Best flag for the state creating rule would be S/SAFR, like kj 
> suggested? Ignoring P, U, E and W and any future flags that may pop up?

Well obviously, I like it.

ECN requires that communicating hosts set the E (ECE) and W (CWR)
flags in the SYN packet, so at bare minimum, you'd want S/SAFRUP.
I personally don't think there is anything wrong with (U)rg or (P)sh
in a SYN, so I'm left with S/SAFR.

Really, there's no sense (except in the aforementioned T/TCP case) to
allow SF or SR through the filter, and creating state on SA is just
plain silly.

So yes, in short, I think S/SAFR is the best general purpose
combination for state creation flags. Perhaps we should adjust the
pf documentation to reflect this?

Hopefully that clears up some confusion.

-kj

Follow-Ups:
- Re: flags S/SA vs flags S
  - From: Thorsten Glaser <tygs@netcologne.de>

References:
- Re: flags S/SA vs flags S
  - From: Otto Moerbeek <otto@drijf.net>

Prev by Date: Re: A question for those running -current on i386
Next by Date: Re: pf vs ipf
Prev by thread: Re: flags S/SA vs flags S
Next by thread: Re: flags S/SA vs flags S
Index(es):
- Date
- Thread