Blocking TCP with RST flag ???
-
??? Anyway how to setup fw rule in pfsense?
-
Can you be more specific? A TCP packet that comes in from the Internet that is not part of an existing state would be blocked by default.
Why would you want to add another rule on top of that?
-
Jim, isn't the default to drop? I think he wants a RST, which would be reject instead, no?
-
It wasn't really clear from what he said, but that's possible.
He was either asking how to block incoming TCP RST packets, or block and send back an RST.
Rejecting (sending back an RST) is easy in the GUI, just add a rule at the end that has the action set to Reject instead of Block. Read the note carefully there, you can use that with TCP rules, and UDP rules, but not TCP/UDP rules (and no other protocols support reject, iirc).
-
Huh, that's funny, yes I see what you mean - could be taken either way. To be a purist, though, I assume that in the UDP case it actually sends an ICMP unreachable?
-
Huh, that's funny, yes I see what you mean - could be taken either way. To be a purist, though, I assume that in the UDP case it actually sends an ICMP unreachable?
I believe that is the case, yes.
-
thanks guys for the replies.. I am actually trying to achieve 3 way tcp-handshake with packet crafters but I am seeing rst flag is sent out along with the packet I've sent.
I know this can be blocked in linux like this
iptables -A OUTPUT -p tcp –tcp-flags RST RST -s {our IP} -d {dest IP} -dport {source port} -j DROP
not sure with pfsense.
Can this be done? Sry I m newbie here. ;D
-
It might be possible to craft the right pf rule, but you'd have to invoke that in a script or something. Can I ask what you are trying to accomplish? Not meaning to offend, but folks here are basically providing free tech support, and I for one would rather not invest a significant amount of (unpaid) time trying to help someone massage pf in a way that makes no sense.