In a message dated 98-05-02 23:59:31 EDT, smbat_private writes: << [...snip...] Once a connection is set up (that is, has transitioned to ESTABLISHED state), all packets will carry the ACK bit. They must also carry an acceptable sequence number. These provisions both apply to RST messages, too. In this case, though, a RST means that the other side has aborted the connection for some reason. [...snip...] What flavor RST your firewall should send depends on the connection state; if it gets it wrong, the remote side probably won't listen. That's definitely the case for a bare RST on an established connection. For more details, see RFC 793 and/or a good text on TCP, such as Stevens' ``TCP/IP Illustrated, Volume I''. >> Steve... I checked RFC 793... but my issues are.... If I am under a stealth scan... that is, if someone sent packets that appeared to be a part of another connection (by virtue of the ACK bit being set) but weren't really... what should I expect to see coming from my firewall in the following cases: Scenario... Attacker is coming from Host A and Im at HOST B. Nothing is listening on any port. The Initial TCP sequence is some arbitrary number (lets say 1234) HOST A sends SYN --------------------->HOST B HOST B Should send RST without ACK HOST A sends ACK --------------------->HOST B HOST B Should send what ? HOST A sends SYN/ACK --------------------->HOST B HOST B Should send RST with ACK .... (Right? But, what ACK'ed it? No services running) HOST A sends FIN --------------------->HOST B HOST B Should send what ? HOST A sends FIN/ACK --------------------->HOST B HOST B Should send what ? Once again... I'm just trying to get clarification as to whether RST should ALWAYS be accompanied by ACK's or not. And if they are accompanied by ACK's is it a valid conclusion that there was a TCP service listening? Thanks for all of the responses thus far... Hassan Karim
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:19 PDT