Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Protection against TCP/IP SYN+FIN (in general)

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      comrax
      last edited by

      Hello all,

      I have done my homework before posting here, so:

      1. I know of the "synproxy" state method (which don't help here.)

      2. Read here (http://forum.pfsense.org/index.php?topic=14862.0) for a similar case. pf can deny based on flags, and this can do the job: block in quick on $iface inet proto tcp from any to any flags SF/SF.

      3. I know of the XML config parameter <system><afterbootupshellcmd>which would allow me to run a custom program after pfctl has done loading rules.

      In order to solve the problem of TCP/IP SYN+FIN flaw, either of the following roads can be taken:

      1. Using the webGUI itself, if this is possible – up until now, I couldn't find it anywhere. Any help on how to do it this way would be appreciated?

      2. Using a custom rule, after loading of initial rules, to tackle this issue. How do you configure <afterbootupshellcmd>parameter (webGUI? manual?) and instruct pf/pfSense to block such traffic?

      Any help would be appreciated :)

      /Comrax</afterbootupshellcmd></afterbootupshellcmd></system>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.