TPC Flags

Discussion in 'LnS English Forum' started by qwerty133, Oct 19, 2003.

Thread Status:
Not open for further replies.
  1. qwerty133

    qwerty133 Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    4
    Hi,
    I don't understand how to set the TPC Flags rules in the Internet filtering.

    What do "mask" and "set/cleared" mean?

    For example, if I want to apply my rule to all the packet with FIN=1, what do I have to set?

    Thank you!
     
  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey qwerty133

    In the EnhancedRulesSet.rls file you’ll find a rule labelled “TCP : Block incoming connections”, this would be a good rule to follow. And if you want all possibilities I’d suggest try viewing over Phant0m``s Rule-set $v5.0, available at http://www.wilderssecurity.info/Phant0m.shtml. ;)
     
  3. qwerty133

    qwerty133 Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    4
    Thanks for the reply, Phantom.
    Unfortunately, I don't want to block the incoming TCP connections, and I don't want to use a preset set of rules.

    I would like to understand how to use the flag rules, and when I say "how" I don't mean what for, I means in what manner.

    Like, as I said for example, if I want to apply my rule to all the packet with FIN=1, what do I have to set?

    Thanks!
     
  4. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey qwerty133

    No I know you don’t want to block “Incoming Connections” and I know you want rules to apply to only packets with TCP FIN Flag set, so I responded suggesting you view over “TCP : Block incoming connections” rule, doing so you should obviously known you want FIN rather than SYN for "Set/Cleared", so you make the following modifications in addition to unchecking "Block incoming connections" from within "Rule Edition" Dialog. Afterwards you can choose to toggle with the Block flag at will…

    And if you would have explored my Rule-set you would have noticed tons of TCP Flag Combinations to study from.

    Anyways take a gander at http://www.wilderssecurity.info/TCP-Flag_Controls.shtml, lets see if this helps you… ;)
     
  5. qwerty133

    qwerty133 Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    4
    Hi Phantom,
    I read your examples but I think I didn't understand well because it doesn't work...

    I understood that:
    a flag with MASK checked means that I'm interested in that flag;
    a flag with MASK unchecked means that I'm not interested in that flag;
    a flag with SET/CLEARED checked means that that flag must be set;
    a flag with SET/CLEARED unchecked means that that flag must be unset;

    Is it right?

    Thank you!
     
  6. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey qwerty133

    I think you got the idea; let’s verify…

    http://www.wilderssecurity.info/images/ACK-0.PNG

    Out of that all that has been checked for “Mask” only that of which been checked for “Set/Cleared” will Apply…

    For an example with that current configuration only packets with TCP ACK Flag set will apply, so if there is another Flag used for a packet with ACK Flag set it will not apply.

    In Packet’s Content Dialog a TCP packet should only have the following http://www.wilderssecurity.info/images/ACK.PNG for TCP Flags.

    http://www.wilderssecurity.info/images/ACK-SYN-0.PNG

    Again out of all that has been checked for “Mask” only that of which been checked for “Set/Cleared” will apply….

    For an example with the current configuration only packets with TCP ACK, SYN Flag set will apply, so if there is another Flag used for a packet with TCP ACK & SYN Flag set it will not apply.

    In Packet’s Content Dialog a TCP packet should only have the following http://www.wilderssecurity.info/images/ACK-SYN.PNG for TCP Flags.

    http://www.wilderssecurity.info/images/ACK-1.PNG

    Again out of all that has been checked for “Mask” only that of which been checked for “Set/Cleared” will apply in addition with TCP Flags that’s not been checked for “Mask”, so with current configuration ACK, or ACK+FIN packets will apply.
     
Thread Status:
Not open for further replies.