Question ACL using tcp flags option

Qwireca

I'm trying to wrap my head around how the tcp flags option in an ACL works.

Documentation say (https://docs.netgate.com/tnsr/en/latest/acl/standard.html#standard-acl-example:~:text=tcp%20flags%20value,2%20mask%2018):
*tcp flags value <v> mask <m>
For rules matching TCP packets, tcp flags further restrict the match. This statement requires both a value and mask, which may be given in either order. The value and mask together define the flags matched out of a possible set of flags. These flags are specified numerically using the standard values for the flags: URG=32, ACK=16, PSH=8, RST=4, SYN=2, FIN=1. Add the values together to reach the desired value.

For example, with stateful filtering a common way to detect the start of a TCP session is to look for the TCP SYN flag with a mask of SYN+ACK. That way it will match only when SYN is set and ACK is not set. Using the values from the previous paragraph yields: tcp flags value 2 mask 18*

Does mask mean a binary mask, meaning tcp flags value 2 mask 18 is :

0 0 0 0 0 0 1 0
0 1 0 0 0 0 1 0
----------------
0 0 0 0 0 0 1 0

In that case could I also use "tcp flags value 2 mask 2"? Mask 18 only feel relevant if I use value 18 to hit both SYN and SYN+ACK?

jimp

It works the same as it does on pfSense just a different interface. The mask controls which bits of the packet are considered when doing the comparison.

Normally for TCP you want to check SYN with a mask of SYN+ACK because you only want to create a reflection state for the starting packet of a connection (the initial SYN).

"SYN with mask of SYN+ACK" means "Match only if the packet has SYN set and ACK unset"

If you only look for SYN with a mask of SYN that means any packet with SYN will pass the ACL, including a SYN+ACK that was sent unsolicited from a third party, which could be malicious.

Qwireca

@jimp Thank you. I think I'm getting hang of it.
So a value 2 mask 2 would hit all packets with SYN flag set, including SYN-ACK. Therefore a mask of 18 is used instead, as it will trigger on packets with flag 2 but must also have flag 16 set due to the mask?

I guess flags value can only be one flag at a time? So a flag can be 2 or 16 but not a combined 18?
I will do some testing myself, just wanted a basic understanding how flags/mask works first.

Background to the question.
I'm looking to convert a iptablerule set looking like this.

Iptable -A <chain> -j Deny -s <network> -p tcp --syn
Iptable -A <chain> -j accept -s <network> -p tcp

And I understand this rule as, block all new connections, allow return traffic.

To translate to TNSR, a deny tcp flags value 2 mask 18 and one accept tcp underneath is needed.

Sorry if the reply is kinda messy. Sitting on a phone, thinking i understand how it works :)

jimp

In that case it would probably actually just be checking SYN since it's a deny rule and it wants to block anything with SYN set no matter where it is.

Where you'd want to mask it the way I described is when crafting reflect or pass rules.

Qwireca

@jimp Sorry for being so slow. Forgetting to check in to a new forum :)

I think in iptables --syn actually only hit packets with SYN and ACK,RST and FIN bits cleared.

Do I understand correctly if the rule,
Iptable -A <chain> -j Deny -s <network> -p tcp --syn

Translates to ,
action drop
ip-version ipv4
source destination <network>
protocol tcp
tcp flags value 2 mask 18

Reason being "tcp flags value 2 mask 18" will only hit if SYN flag is set.
It can't match the whole mask, that is to say ACK must not be set.
Illegal combinations like SYN+RST will be ignored as it's not part of the mask.
Other flag combinations will not be a hit as a SYN flag is not set.

I guess I have a hard time getting that it's not like this.
Value nominates what flag need to be set to start a match against the mask.
The mask must be fulfilled to trigger the rule.
This gives that "tcp flags value 2 mask 18" would only start check if SYN is set, and the rule would only trigger if the packet have SYN+ACK.