Netgate SG-1000 microFirewall

Author Topic: When to enable the tcp flag "out of" ?  (Read 230 times)

0 Members and 1 Guest are viewing this topic.

Offline noak

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
When to enable the tcp flag "out of" ?
« on: December 08, 2017, 10:28:03 am »
I am confused on the "out of" part of the TCP flags. Can anyone give me an example of when this should be used? I get how to use the "set" part, for example if a packet matches TCP:Syn then allow (i.e. syn is "set"). But should SYN "out of" also be checked?

Offline jitguy

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
Re: When to enable the tcp flag "out of" ?
« Reply #1 on: December 08, 2017, 09:22:22 pm »
My understanding is you set the "out of" bits for the flags you care about.  If the "out of" bit is not set, that flag is ignored.  If it is set, then that flag must match the set/not set setting.

 

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21739
  • Karma: +1502/-26
    • View Profile
Re: When to enable the tcp flag "out of" ?
« Reply #2 on: December 13, 2017, 02:54:20 pm »
In nearly all cases, you will never need to touch that. It's for making sure some flags are set and others are unset.

So if you have "S" out of "SA" checked it will only match if SYN is set and ACK is not set. This way it can match the first packet of a TCP handshake but not the later packets. That example is the default choice when that control is left alone at the default and the rule is for TCP.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline noak

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: When to enable the tcp flag "out of" ?
« Reply #3 on: December 15, 2017, 08:43:37 am »
Thanks, that explanation also confirms what I read here:

https://www.openbsd.org/faq/pf/filter.html

ctrl-f tcp flags


This doc cleared up my confusion on tcp flags a lot.