Hi,
I don't understand how to set the TPC Flags rules in the Internet filtering.

What do "mask" and "set/cleared" mean?

For example, if I want to apply my rule to all the packet with FIN=1, what do I have to set?

Thank you!

Hey qwerty133

In the EnhancedRulesSet.rls file you’ll find a rule labelled “TCP : Block incoming connections”, this would be a good rule to follow. And if you want all possibilities I’d suggest try viewing over Phant0m``s Rule-set $v5.0, available at http://www.wilderssecurity.info/Phant0m.shtml. ;)

Thanks for the reply, Phantom.
Unfortunately, I don't want to block the incoming TCP connections, and I don't want to use a preset set of rules.

I would like to understand how to use the flag rules, and when I say "how" I don't mean what for, I means in what manner.

Like, as I said for example, if I want to apply my rule to all the packet with FIN=1, what do I have to set?

Thanks!

Hey qwerty133

No I know you don’t want to block “Incoming Connections” and I know you want rules to apply to only packets with TCP FIN Flag set, so I responded suggesting you view over “TCP : Block incoming connections” rule, doing so you should obviously known you want FIN rather than SYN for "Set/Cleared", so you make the following modifications in addition to unchecking "Block incoming connections" from within "Rule Edition" Dialog. Afterwards you can choose to toggle with the Block flag at will…

And if you would have explored my Rule-set you would have noticed tons of TCP Flag Combinations to study from.

Anyways take a gander at http://www.wilderssecurity.info/TCP-Flag_Controls.shtml, lets see if this helps you… ;)

Hi Phantom,
I read your examples but I think I didn't understand well because it doesn't work...

I understood that:
a flag with MASK checked means that I'm interested in that flag;
a flag with MASK unchecked means that I'm not interested in that flag;
a flag with SET/CLEARED checked means that that flag must be set;
a flag with SET/CLEARED unchecked means that that flag must be unset;

Is it right?

Thank you!

Hey qwerty133

I think you got the idea; let’s verify…

http://www.wilderssecurity.info/images/ACK-0.PNG

Out of that all that has been checked for “Mask” only that of which been checked for “Set/Cleared” will Apply…

For an example with that current configuration only packets with TCP ACK Flag set will apply, so if there is another Flag used for a packet with ACK Flag set it will not apply.

In Packet’s Content Dialog a TCP packet should only have the following http://www.wilderssecurity.info/images/ACK.PNG for TCP Flags.

http://www.wilderssecurity.info/images/ACK-SYN-0.PNG

Again out of all that has been checked for “Mask” only that of which been checked for “Set/Cleared” will apply….

For an example with the current configuration only packets with TCP ACK, SYN Flag set will apply, so if there is another Flag used for a packet with TCP ACK & SYN Flag set it will not apply.

In Packet’s Content Dialog a TCP packet should only have the following http://www.wilderssecurity.info/images/ACK-SYN.PNG for TCP Flags.

http://www.wilderssecurity.info/images/ACK-1.PNG

Again out of all that has been checked for “Mask” only that of which been checked for “Set/Cleared” will apply in addition with TCP Flags that’s not been checked for “Mask”, so with current configuration ACK, or ACK+FIN packets will apply.