Dropping RST packets to a portrange
-
I need to create a firewall rule for pfsense that drops/blocks RST packets to a given port range (thanks to Comcast's sandvine). I know how to do this with iptables, on linux, but not sure how to put this together with pfsense. Can somebody please help?
-
pfSense blocks per default everything.
Just dont create an allow rule on the WAN. -
Sorry, I guess I didn't properly explain my question well enough. I currently have a port forwarding rule set up to send all TCP traffic to ports 49000-50000, but I need that further modified to accept all TCP traffic EXCEPT RST packets, which need to be dropped. An example iptables rule for this would look like:
iptables -A FORWARD -p tcp –dport 49000:50000 --tcp-flags RST RST -j DROPThis rule is to stop Comcast's traffic shaper, Sandvine, from sending connection reset packets to (bittorrent) connections that it deems to use too much bandwidth.
-
Anybody?
-
RST packets have no payload and hence no port.
I am far from an expert but based on my reading of the Snort documentation Snort is able to detect the RST flag and alert, you may be able to configure a combined rule in Snort to achieve your goals. I don't know enough yet to tell anyone how to do it though …. but I am working on it.
You may want to check out page 129 of the Snort user guide. http://www.snort.org/assets/82/snort_manual.pdf
My guess is that you could let Snort deal with the RST packets and let pFSense handle the rest, I can't think of a valid reason to accept an RST incoming anyway.
