I have a firewall rule to block any TCP connection attempts on the interface connected to the Internet. It does this by testing for a TCP SYN flag with all the other TCP flags explicitly set to the NOT condition. This rule works and if I turn on logging for it, the log shows only the SYN flag for the packets. In a day, it catches lots (100+) of connection attempts. I also have a default input chain rule on the same interface at the end of the rules to block anything that has gotten that far in the rules. This is normally logged. Every day there are about 10 log entries from the default rule and they look exactly like the entries from the SYN blocking rule; the only TCP flag shown is SYN. I can’t figure out how those got past the SYN blocking rule since the log entries look exactly the same. Any ideas? What is the best way to detect a TCP connection attempt from the Internet?
Why don’t you use a stateful firewall with connection tracking? The first packet of a TCP connection will always be “new”, no need to reinvent the wheel by checking flags manually.
Per the suggestion, I am testing a “new connection” rule right above the syn flag checking rule. So far it has caught everything. I will see if anything falls down to the default rule. The log entries look just like the syn checking and default rules; proto TCP (SYN).
I did notice that it rejected an ACK, PSH from an IP address and to a port that I recognize and would be legitimate. I also removed any protocol specification in the rule and it caught a UDP connection attempt which I consider a good thing.