• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Blocking TCP with RST flag ???

Scheduled Pinned Locked Moved Firewalling
8 Posts 3 Posters 4.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    poekong
    last edited by Mar 6, 2010, 5:06 PM

    ??? Anyway how to setup fw rule in pfsense?

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Mar 6, 2010, 10:32 PM

      Can you be more specific? A TCP packet that comes in from the Internet that is not part of an existing state would be blocked by default.

      Why would you want to add another rule on top of that?

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • D
        danswartz
        last edited by Mar 7, 2010, 9:13 PM

        Jim, isn't the default to drop?  I think he wants a RST, which would be reject instead, no?

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Mar 7, 2010, 9:31 PM

          It wasn't really clear from what he said, but that's possible.

          He was either asking how to block incoming TCP RST packets, or block and send back an RST.

          Rejecting (sending back an RST) is easy in the GUI, just add a rule at the end that has the action set to Reject instead of Block. Read the note carefully there, you can use that with TCP rules, and UDP rules, but not TCP/UDP rules (and no other protocols support reject, iirc).

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • D
            danswartz
            last edited by Mar 7, 2010, 10:07 PM

            Huh, that's funny, yes I see what you mean - could be taken either way.  To be a purist, though, I assume that in the UDP case it actually sends an ICMP unreachable?

            1 Reply Last reply Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Mar 7, 2010, 10:28 PM

              @danswartz:

              Huh, that's funny, yes I see what you mean - could be taken either way.  To be a purist, though, I assume that in the UDP case it actually sends an ICMP unreachable?

              I believe that is the case, yes.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • P
                poekong
                last edited by Mar 8, 2010, 10:03 AM

                thanks guys for the replies.. I am actually trying to achieve 3 way tcp-handshake with packet crafters but I am seeing rst flag is sent out along with the packet I've sent.

                I know this can be blocked in linux like this

                iptables -A OUTPUT -p tcp –tcp-flags RST RST -s {our IP} -d {dest IP} -dport {source port} -j DROP

                not sure with pfsense.

                Can this be done? Sry I m newbie here.  ;D

                1 Reply Last reply Reply Quote 0
                • D
                  danswartz
                  last edited by Mar 8, 2010, 7:10 PM

                  It might be possible to craft the right pf rule, but you'd have to invoke that in a script or something.  Can I ask what you are trying to accomplish?  Not meaning to offend, but folks here are basically providing free tech support, and I for one would rather not invest a significant amount of (unpaid) time trying to help someone massage pf in a way that makes no sense.

                  1 Reply Last reply Reply Quote 0
                  1 out of 8
                  • First post
                    1/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received