FIN/RST packets blocked
-
Hi,
I hope this isn't a silly question, but I didn't find out by myself and it might be a peace of cake for somebody more experienced with pfSense:
Looking in the firewall log I see that all TCP:FA or TCP:RA pakets are blocked. I don't find any setting or rule to do so and honestly, I don't see a reason to block packages which (to my understanding) just terminate an existing TCP connection. I don't consider this as an issue but I'd appreciate if anybody could enlighten me… and I'd like to get rid of the logging entries!Thx!
I don't think this is important, but just for the records: 2.0.1-RELEASE (i386) / FreeBSD 8.1-RELEASE-p6
Best regards,
Markus -
Probably this: http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F
Most likely, the connections were already allowed, but the states were removed, and then after the states were removed, another packet came through. Especially common if transparent squid is involved.
-
When 2.1 is released you will be able to not log those leftover packets from a previous connection by blocking the TCP packets with certain TCP Options set right at the beginning of your rule base. This was not possible until a recent change was made on a 2.1 RC snapshot.
See… http://forum.pfsense.org/index.php/topic,63449.msg343455.html#msg343455Note the above discussion blocks without logging the leftover FIN/ACK packets. If you want to also not log the FIN/RST packets you would need to create another rule but with the TCP flags settings changed to TCP Flags: SET:FIN,RST OUTOF:FIN,SYN,RST,ACK,URG.
Before the latest snapshot of 2.1 a week or two ago you could not set TCP options for a block rule. Well you could specify them but if you ever did create such a rule pfsense would strip off the TCP options and block connections you didn't want to block.
-
So at least it wasn't a silly question though… :)
Thanks for the comments/hints!
