Dropping RST packets to a portrange



  • I need to create a firewall rule for pfsense that drops/blocks RST packets to a given port range (thanks to Comcast's sandvine). I know how to do this with iptables, on linux, but not sure how to put this together with pfsense. Can somebody please help?



  • pfSense blocks per default everything.
    Just dont create an allow rule on the WAN.



  • Sorry, I guess I didn't properly explain my question well enough. I currently have a port forwarding rule set up to send all TCP traffic to ports 49000-50000, but I need that further modified to accept all TCP traffic EXCEPT RST packets, which need to be dropped. An example iptables rule for this would look like:
    iptables -A FORWARD -p tcp –dport 49000:50000 --tcp-flags RST RST -j DROP

    This rule is to stop Comcast's traffic shaper, Sandvine, from sending connection reset packets to (bittorrent) connections that it deems to use too much bandwidth.



  • Anybody?



  • RST packets have no payload and hence no port.

    I am far from an expert but based on my reading of the Snort documentation Snort is able to detect the RST flag and alert, you may be able to configure a combined rule in Snort to achieve your goals. I don't know enough yet to tell anyone how to do it though …. but I am working on it.

    You may want to check out page 129 of the Snort user guide. http://www.snort.org/assets/82/snort_manual.pdf

    My guess is that you could let Snort deal with the RST packets and let pFSense handle the rest, I can't think of a valid reason to accept an RST incoming anyway.


Log in to reply