Dropping RST packets to a portrange
I need to create a firewall rule for pfsense that drops/blocks RST packets to a given port range (thanks to Comcast's sandvine). I know how to do this with iptables, on linux, but not sure how to put this together with pfsense. Can somebody please help?
pfSense blocks per default everything.
Just dont create an allow rule on the WAN.
Sorry, I guess I didn't properly explain my question well enough. I currently have a port forwarding rule set up to send all TCP traffic to ports 49000-50000, but I need that further modified to accept all TCP traffic EXCEPT RST packets, which need to be dropped. An example iptables rule for this would look like:
iptables -A FORWARD -p tcp –dport 49000:50000 --tcp-flags RST RST -j DROP
This rule is to stop Comcast's traffic shaper, Sandvine, from sending connection reset packets to (bittorrent) connections that it deems to use too much bandwidth.
RST packets have no payload and hence no port.
I am far from an expert but based on my reading of the Snort documentation Snort is able to detect the RST flag and alert, you may be able to configure a combined rule in Snort to achieve your goals. I don't know enough yet to tell anyone how to do it though …. but I am working on it.
You may want to check out page 129 of the Snort user guide. http://www.snort.org/assets/82/snort_manual.pdf
My guess is that you could let Snort deal with the RST packets and let pFSense handle the rest, I can't think of a valid reason to accept an RST incoming anyway.