flags
Description
| Instructs the firewall to match TCP flags in the packet header against the specified type. |
Synopsis
{block | pass} {in | out} proto tcp address_scope flags [flag_type [/flag_mask ]]| address_scope can be a unique IP address, an address space, or the keywords !, all, me, or any. |
| flag_type and flag_mask can be: |
| • | U (Urgent |
| • | A (Ack) |
| • | P (Push) |
| • | R (Reset) |
| • | S (Syn) |
| • | F (Fin) |
| • | 0 (no flags active) |
| flag_type and flag_mask are separated by a slash (/). For a rule to match, the flag specified in flag_type must be set in the TCP packet header. If a flag is not explicitly specified in flag_type , it must not be set in the TCP packet header. |
| A flag_mask , however, introduces flexibility to the rule. Flags specified in the flag_mask must strictly conform to their flag_type setting. Flags not specified in the flag_mask are allowed to vary from their flag_type setting. |
| If no flag_mask is specified, all flags must match their flag_type specification–that is, the default mask is UAPRSF. |