First page Back Continue Last page Summary Graphics
TCP Connection State Filtering
- SYN flag set in the first connection request message
- ACK is set in all subsequent messages
- Usually bound to an unprivileged port
- Always have the ACK flag set
- Usually bound to the well-known server port
Incoming TCP packet acceptance rules can make use of the connection state flags associated with TCP connections. All TCP connections adhere to the same set of connection states. These states differ between client and server due to the 3-way handshake during connection establishment.
Ipchains gives access to the SYN and ACK flags, only.
Incoming TCP packets from remote clients will have the SYN flag set in the first packet received as part of the 3-way connection establishment handshake. The first connection request will have SYN flag set, but not the ACK flag. All incoming packets after the first connection request will only have the ACK flag set. Your local server firewall rules will allow incoming packets regardless of the state of the SYN and ACK flags.
Incoming packets from remote servers will always be responses to the initial connection request initiated from your local client program. Every packet received from a remote server will have the ACK flag set. Your local client firewall rules will require all incoming packets from remote servers to have the ACK flag set.