In simple terms, TCP flags are control bits that indicate how TCP packets should be handled by the client. These control bits or indicators reside in the TCP header. There are a total of nine control bits with one bit for each flag. The full description of how exactly these TCP flags work is beyond the scope of this book since TCP is a vast subject of various complexities. Here, we will only see what those TCP flags are and how the Proxmox firewall handles TCP flag filtering. The following table is a summary of the TCP flags and their functions:
TCP flag |
Function |
URG—1 bit |
This indicates that the TCP packet is urgent. |
ACK—1 bit |
This indicates the acknowledgment field. After the initial SYN for all packets, they are usually followed by this flag. |
PSD—1 bit |
This flag asks for the buffer data to be pushed as soon as possible to the receiving side of the client application. |
RST—1 bit |
This flag indicates the TCP connection reset. |
SYN—1 bit |
This flag indicates a synchronized sequence number before initiating a TCP connection. Only the first packet that is sent from a source usually has this flag. |
FIN—1 bit |
This flag indicates the end of TCP packets. |
TCP flags are useful to detect and pinpoint oddly-behaved TCP packets and determine a possible intrusion. Arguments for TCP flag filtering are added to the firewall rules right after the -p syntax, as shown in the following code:
[RULES] IN DROP -p tcp -tcp-flags SYN,ACK SYN -dport
By default, TCP flag filtering is disabled in the Proxmox VE. We can enable it to let the Proxmox firewall automatically filter odd packets with out-of-sync bits. All data packets traversing through the network have a uniform SYN behavior. Odd packets usually indicate that they are from a bad source.