[ previous ] [ next ] [ threads ]
 From:  Jeffrey Goldberg <jeffrey at goldmark dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  What is special about S/FSRA?
 Date:  Sat, 9 Feb 2008 19:03:19 -0600
I've got one particular host on a LAN (sis0) that is trying to talk to  
a machine on the DMZ, but all TCP traffic appears to be blocked by  
this very early set of "rules"

@29 skip 1 in proto tcp from any to any flags S/FSRA
@30 block in log quick proto tcp from any to any

Here are a couple of log entries
Feb  9 15:09:12 firewall ipmon[86]: 15:09:12.276053 sis0 @0:30 b,57125
       -> 66.XXX.XXX.20,25 PR tcp len 20 52 -AF IN
Feb  9 15:09:54 firewall ipmon[86]: 15:09:54.174472 sis0 @0:30 b,57179
       -> 66.XXX.XXX.20,25 PR tcp len 20 64 -A IN

This doesn't look like the default deny rule since it is so early.  So  
I am guessing that there is something about a tcp packet with flags  
that don't match S/FSRA that is considered worth blocking right away.

Reading ipf.conf, I take @29 to mean that out of the FIN, SYN, RST,  
and ACK only the SYN flag should be set.  But I don't understand TCP  
enough to understand why that should be the case.  (In fact, it seems  
backwards to me)

Can anyone explain to me or point me toward docs that would help me  
understand what this is about?  And why one of my systems (the source  
of these) would be generating these bad packets.  Note that I am  
trying to get that system to talk to port 25 on the destination  
system.  I am expecting port 25 traffic, but I find it blocked.



Jeffrey Goldberg                        http://www.goldmark.org/jeff/
smime.p7s (2.1 KB, application/pkcs7-signature)