Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 30 replies
  • Subscribers 2 subscribers
  • Views 49510 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FW dropping ACK, RST/ACK & FIN/ACK packets though packets are from valid sessions

Jim Tagert
Does the ASG function in this manner?

When the firewall receives a TCP RST for an existing session it immediately clears the session from the session table. This means there is no longer a valid session for the TCP RST/ACK to pass through. Hence, the firewall will treat the TCP RST/ACK as a non-SYN first packet and drop it.



Thanks,

Jim


This thread was automatically locked due to age.
Parents
  • 0
    OK, this is what you have to do to get it to work if you're using DNAT:

    PF rule:
    source: ANY (Internet should work too)
    service: HTTP (or a group with HTTP/HTTPS)
    dest: EXTERNAL ADDRESS
    DROP (without logging)


    If you're not using DNAT, DEST should be the server's IP.

    In my case, I need one for each DNAT'd address.

    Naturally these rules should be BELOW the ALLOW rules for your http servers.

    Barry
Reply
  • 0
    OK, this is what you have to do to get it to work if you're using DNAT:

    PF rule:
    source: ANY (Internet should work too)
    service: HTTP (or a group with HTTP/HTTPS)
    dest: EXTERNAL ADDRESS
    DROP (without logging)


    If you're not using DNAT, DEST should be the server's IP.

    In my case, I need one for each DNAT'd address.

    Naturally these rules should be BELOW the ALLOW rules for your http servers.

    Barry
Children
  • 0 in reply to BarryG
    OK, this is what you have to do to get it to work if you're using DNAT:

    PF rule:
    source: ANY (Internet should work too)
    service: HTTP (or a group with HTTP/HTTPS)
    dest: EXTERNAL ADDRESS
    DROP (without logging)


    If you're not using DNAT, DEST should be the server's IP.

    In my case, I need one for each DNAT'd address.

    Naturally these rules should be BELOW the ALLOW rules for your http servers.

    Barry


    I know this is "old" by now..but I got like 25% of the packages dropped is from a respected company from Norway.
    I use DNAT to my webserver and automatic PF rule. Now I wonder how that would work with the above.. in other words, does the automatic rules come before or after my own custom ones.. ?

    2011:01:06-23:38:42 asg220_silk ulogd[4267]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="80:71:1f:c1:7:c0" dstmac="0:1a:8c:15:2:fa" srcip="xx.***.***.xx" dstip="xx.***.xx.xx" proto="6" length="40" tos="0x00" prec="0x00" ttl="117" srcport="57470" dstport="80" tcpflags="ACK FIN"