When to enable the tcp flag "out of" ?
I am confused on the "out of" part of the TCP flags. Can anyone give me an example of when this should be used? I get how to use the "set" part, for example if a packet matches TCP:Syn then allow (i.e. syn is "set"). But should SYN "out of" also be checked?
My understanding is you set the "out of" bits for the flags you care about. If the "out of" bit is not set, that flag is ignored. If it is set, then that flag must match the set/not set setting.
In nearly all cases, you will never need to touch that. It's for making sure some flags are set and others are unset.
So if you have "S" out of "SA" checked it will only match if SYN is set and ACK is not set. This way it can match the first packet of a TCP handshake but not the later packets. That example is the default choice when that control is left alone at the default and the rule is for TCP.
Thanks, that explanation also confirms what I read here:
ctrl-f tcp flags
This doc cleared up my confusion on tcp flags a lot.