Protection against TCP/IP SYN+FIN (in general)
-
Hello all,
I have done my homework before posting here, so:
-
I know of the "synproxy" state method (which don't help here.)
-
Read here (http://forum.pfsense.org/index.php?topic=14862.0) for a similar case. pf can deny based on flags, and this can do the job: block in quick on $iface inet proto tcp from any to any flags SF/SF.
-
I know of the XML config parameter <system><afterbootupshellcmd>which would allow me to run a custom program after pfctl has done loading rules.
In order to solve the problem of TCP/IP SYN+FIN flaw, either of the following roads can be taken:
-
Using the webGUI itself, if this is possible – up until now, I couldn't find it anywhere. Any help on how to do it this way would be appreciated?
-
Using a custom rule, after loading of initial rules, to tackle this issue. How do you configure <afterbootupshellcmd>parameter (webGUI? manual?) and instruct pf/pfSense to block such traffic?
Any help would be appreciated :)
/Comrax</afterbootupshellcmd></afterbootupshellcmd></system>
-