Protection against TCP/IP SYN+FIN (in general)



  • Hello all,

    I have done my homework before posting here, so:

    1. I know of the "synproxy" state method (which don't help here.)

    2. Read here (http://forum.pfsense.org/index.php?topic=14862.0) for a similar case. pf can deny based on flags, and this can do the job: block in quick on $iface inet proto tcp from any to any flags SF/SF.

    3. I know of the XML config parameter <system><afterbootupshellcmd>which would allow me to run a custom program after pfctl has done loading rules.

    In order to solve the problem of TCP/IP SYN+FIN flaw, either of the following roads can be taken:

    1. Using the webGUI itself, if this is possible – up until now, I couldn't find it anywhere. Any help on how to do it this way would be appreciated?

    2. Using a custom rule, after loading of initial rules, to tackle this issue. How do you configure <afterbootupshellcmd>parameter (webGUI? manual?) and instruct pf/pfSense to block such traffic?

    Any help would be appreciated :)

    /Comrax</afterbootupshellcmd></afterbootupshellcmd></system>


Log in to reply