First page Back Continue Last page Summary Graphics

TCP Connection State Filtering


Incoming TCP packet acceptance rules can make use of the connection state flags associated with TCP connections. All TCP connections adhere to the same set of connection states. These states differ between client and server due to the 3-way handshake during connection establishment.
Ipchains gives access to the SYN and ACK flags, only.
Incoming TCP packets from remote clients will have the SYN flag set in the first packet received as part of the 3-way connection establishment handshake. The first connection request will have SYN flag set, but not the ACK flag. All incoming packets after the first connection request will only have the ACK flag set. Your local server firewall rules will allow incoming packets regardless of the state of the SYN and ACK flags.

Incoming packets from remote servers will always be responses to the initial connection request initiated from your local client program. Every packet received from a remote server will have the ACK flag set. Your local client firewall rules will require all incoming packets from remote servers to have the ACK flag set.