RST Question

  • Hi all,

    Normal TCP flow

    Client –---SYN----->PFsense NAT (Web Server)
    Client <-SYN/ACK-->PFsense NAT (Web Server)
    Client -----ACK------PFsense NAT (Web Server)
    Client <----FIN/ACK-----PFsense NAT (Web Server)
    Client ------FIN/ACK----->PFsense NAT (Web Server)
    Client <------ACK--------- PFsense NAT (Web Server)

    Can I use PFsense to change the FIN/ACK to RST? I want to disconnect the session immediately.

    Client -----SYN----->PFsense NAT (Web Server)
    Client <-SYN/ACK-->PFsense NAT (Web Server)
    Client -----ACK------PFsense NAT (Web Server)
    Client <----RST–---PFsense NAT (Web Server)

    Please advise.

  • That breaks the standard. If packets are received out of order, the RST packet will forced the client to close the connection before completing the transfer.

    You can tweak the timeouts of the different stages, making PFSense quickly close the state after FIN/ACK has occurred.

  • Hi all,

    My client send RST to the pfsense. In the pfsense, I still see the record in state table.


    Can I configure the pfsense clear/delete the record after it received RST from client immediately?

    Please advise

  • LAYER 8 Global Moderator

    What exactly are you doing that your "client" should be sending a RST?  In a normal setup looking at a client/server where the "client" initiating the communication to a "server" why would the client send RST?

    Normally a RST means not valid connection, so client sent a fin ack and never got back a fin ack and closed the session anyway and the "server" is still trying to send data?

    Normally you see RST come from the server side of the communication, where client trying to talk to something that is not there, or server application restarted and client still trying to talk to something server does not have a clue about, etc.

    Not saying client would never send rst..  But it would be most helpful in trying to help you if we actually knew what your wanting to accomplish and why..  Maybe your trying to skin the cat the wrong way??

    Normally if everything working as it should devices talking to each other via tcp would not send RST, they would close the session gracefully with fin ack..  RST normally means somebody doesn't want to talk real bad, or your talking to something I don't know about, etc.  Can you post up sniff of this conversation and then pfsense states showing it still open after normal graceful closure.. Bit confused as to why you believe pfsense should send RST on behalf of something.  Why wouldn't the client or server actually send the RST when there is communication that it doesn't want or no about, etc.  Or for when it wants to abort a conversation.  To be honest the firewall should not really interfere with client/server communications.  Sure you might have your firewall send a RST if someone talking to a port your not forwarding to anything, etc.  But quite often you would just drop that packet..

    You do understand that time wait serves a purpose in tcp so that delayed packets don't end up in a previous conversation, etc. While you can quite often modify the timewait time that stuff is left in timewait not exactly sure why you think this state should be just closed instantly?

    While I have never had to dive this deep into how pfsense exactly does or what the timers are by default.  Normally firewall will have specific timers for timewait and remove the session after it sees fin acks from both parties and or a RST, etc.  Maybe this diagram will help?

  • Hi,

    My PC installed a program that it can send some data to my remote server for 10 per second. I only assign one special NAT port for the PC to use it. After sent data, my program will disconnect it immediately. Therefore, I want the pfsense can clear the state table record as soon as possible. Otherwise, my PC cannot build up a new connection. It is because the NAT port was used by the old record.


  • LAYER 8 Global Moderator

    Yeah there is  REASON the firewall does that ;)  See my edited post with diagram on when a session is removed on firewall, etc..  You should be able to edit the time wait timer to have it remove the session faster if you so desire that.

    what program are you using?  Is it something wrote in house?  Common tool?  So your program is using the same source port.. Or you have your nat setup with static nat ports?  Why exactly??

  • Hi,

    It is in house program and use static nat ports.

    Would u mind teaching me how to change the timer in PFSense?


  • LAYER 8 Global Moderator

    Well first off your doing your program WRONG to start with!!  There should be no reason to have to modify the default timers, so having issues your program is not working with the tcp standards..

    You can view the current timers with pfctl -st

    These are the normal settings

    [2.2.4-RELEASE][root@pfSense.local.lan]/root: pfctl -st
    tcp.first                  120s
    tcp.opening                  30s
    tcp.established          86400s
    tcp.closing                900s
    tcp.finwait                  45s
    tcp.closed                  90s
    tcp.tsdiff                  30s
    udp.first                    60s
    udp.single                  30s
    udp.multiple                60s
    icmp.first                  20s
    icmp.error                  10s
    other.first                  60s
    other.single                30s
    other.multiple              60s
    frag                        30s
    interval                    10s
    adaptive.start          120600 states
    adaptive.end            241200 states
    src.track                    0s

    You can firewall opt mode in advanced, firewall and nat (1st arrow) or you can modify specifics at the bottom (2nd arrow)  But I really would take a look to why you would have to adjust these to do what your doing..

  • Hi,

    Thank you for your informaiton :)

Log in to reply