Blocking XMAS scan using TCP flags

  • Hello,

    I am in a process of migrating an existing Linux based FW / router to pfSense 2.1.

    With the Linux router, I was able to set a blocking rule for XMAS scan using iptables.

    iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP

    If I am not mistaken, the first argument describes what to examine ( ALL being FIN,SYN,RST,PSH,ACK and URG ) and the second argument describes flags that must be set.

    I tried to achieve this using the pfSense 2.1 by ticking those 6 flags for 'set' and left others blank. As soon as I hit 'Save' button, it threw an error as follow.

    The following input errors were detected:

    If you specify TCP flags that should be set you should specify out of which flags as well.

    • By ticking all 8 flags ( including ECE and CWR ) set also gave the same error.

    Next thing I did was to tick ECE and CWR for 'out of' while FIN,SYN,RST,PSH,ACK and URG were all set on. This allowed me to save the configuration, however an notification came up saying;

    [ There were error(s) loading the rules: /tmp/rules.debug:169: flags always false - The line in question reads [169]: block in quick on $WAN reply-to ( bce1 <wan ip="" address="">) inet proto tcp from any to any flags FSRPAU/EW label USER_RULE]

    Unfortunately I could not find any relevant information to achieve this setting and would like to get assistance from the forum.

    Thanks in advance !</wan>

Log in to reply