From owner-freebsd-questions@FreeBSD.ORG  Tue Mar  2 10:52:14 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A7C9A16A4CE
	for <freebsd-questions@freebsd.org>;
	Tue,  2 Mar 2004 10:52:14 -0800 (PST)
Received: from spock.ste-land.com (spock.ste-land.com [64.32.179.40])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 79BFC43D39
	for <freebsd-questions@freebsd.org>;
	Tue,  2 Mar 2004 10:52:14 -0800 (PST)
	(envelope-from ste@ste-land.com)
Received: from ste-land.com (bgp377940bgs.plnfld01.nj.comcast.net
	[68.36.5.198])
	by spock.ste-land.com (Postfix) with ESMTP id A14FD2D24C;
	Tue,  2 Mar 2004 13:52:13 -0500 (EST)
Message-ID: <4044D7DD.9090400@ste-land.com>
Date: Tue, 02 Mar 2004 13:52:13 -0500
From: "Shaun T. Erickson" <ste@ste-land.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.4b) Gecko/20030507
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: danny@ricin.com
References: <4044C412.1070207@ste-land.com>
	<200403021933.14816.danny@ricin.com>
In-Reply-To: <200403021933.14816.danny@ricin.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: freebsd-questions@freebsd.org
Subject: Re: How do I test for NO tcp flags being set, in ipfilter? (repost)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2004 18:52:14 -0000

Danny Pansters wrote:

> On Tuesday 02 March 2004 18:27, Shaun T. Erickson wrote:
> 
>>How do I test for NO tcp flags being set, in ipfilter?
> 
> 
> You can filter on TCP flags but seems to me what you really mean is how to 
> check for no TCP options ("nop") rather than no flags:
> 
> 'with opt nop' is a syntax that should work.
> 
> WRT flags, it's my understanding that every TCP packet has at least the A or S 
> flag set. 

Actually, I do mean no flags set. Nmap's null scan uses packets with all 
tcp flags turned off.

On linux, with iptables, I would say "-tcp-flags ALL NONE" to test for 
this (the bits to test and the mask are in reverse order to how we 
specify them in ipfilter). The closest ipfilter statement would be 
"flags /FSRPAU", specifying no flags to be set, out of all flags. I 
don't believe this is legal syntax though.

	-ste