The TCP protocol has six different flags – SYN (syncronize), ACK (acknowledge), URG (urgent), PSH (push), RST (reset) and FIN (finished).
SYN, ACK and FIN are for example part of the three-way handshake. When a TCP-sender is connecting to a TCP-receiver, the first contact is SYN – a way to say “Hello, are you there?”. The receiver replies with SYN-ACK to acknowledge that “Hi, yes I am here” – and the handshake finishes with ACK where the sender acknowledge that the transfer of data will begin. The same process happens when the data has finished to transfer, with the flags being FIN, FIN-ACK and ACK.
So how can we use this to our advantage in our firewall? Some of the more decent firewalls will detect that someone is sending out SYN-flags to try and get a response from any of the open ports. These calls will only have the SYN-flag set and nothing more. The firewall will then block this attempt. Because of this, most intruders will more likely send out other flags like ACK or FIN – and you should then probably think about setting your firewall to also deny any attempts to connect with only those flags set.
Now, I am not really sure about the effectiveness about this – since I have not tried to implement it and neither tried to penetrate it. This all comes from what i deducted in my head from the lecture – but I definitively need to do some more research on the area. An ideas? Please comment 🙂