Hello,
I've configured a rule which should blocks any incoming TCP traffic on WAN with just a (1) SYN Flag.
So, i checked in the "Advanced Options" in the category "set" just the SYN-Flag and "out of" any other flags.
But if I try to connect via telnet, then it works.
Can anyone please help me? I think this config should be right
Thank you in advance
But that is the default? Only TCP packets that are part of a connection established from the inside are allowed in via WAN. Which means they always have ACK set.
Hello and thank you very much for your help,
I am just wondering about, that my first rule (Block all incoming traffic which contains just one SYN-Flag) doesn't apply.
I've set the default rules temporary off to check my SYN rule.
Regards
In that case please post a complete screen shot of your rule. Analysis will prove difficult without.
Hello and thank you for ur support.
I've attached the screenshots
Regards
I guess you got the TCP flag section wrong. The "out of" line defines (as I read it) which flags the firewall should consider when looking at the packet.
So for example to define SYN set, but ACK not set, you would tick:
set: SYN, but not ACK
out of: SYN and ACK
For your particular use case that boils down to:
set: SYN
out of: SYN
And since you are essentially "dumbing down" all the stateful magic in pf, I would disable "keep state".
HTH, please report if that works
Patrick
Hi,
thank you for your help.
I've read something about this and i tried each variation included yours.
But it simply doesn't work for some reason.
I've already read this article as well:
https://forum.netgate.com/topic/124171/when-to-enable-the-tcp-flag-out-of
QuoteIn nearly all cases, you will never need to touch that. It's for making sure some flags are set and others are unset.
So if you have "S" out of "SA" checked it will only match if SYN is set and ACK is not set. This way it can match the first packet of a TCP handshake but not the later packets. That example is the default choice when that control is left alone at the default and the rule is for TCP.
Then try pfctl -s rules to check what the UI creates from the settings ...
Hi and thank you very much for your support.
I think i figured out via SSH that the rules were not correclty created by the system.
When i did my last TCP-Flag change, neither connecting to the internet nor communicating with the firewall was possible - but that's nothing bad because I just wanted to test the rules and wanted to know how the system works.
But when i set the change back, the system still didnt come back to normal and the firewall blocked every traffic on each interface - like in an arbitrary way.
After I set the system back to factory settings, everything was fine again.
When I created a "deny all" rule, the access to the internet was still possible but i wasn't able to connect via SSH to the OPNsense.
The point is, that my rule isn't a big deal, but the firewall maybe is not able to deal with the rule.
It's really a pity.
There were so much issues indepently to each other.
I think I will try pfSense now, just to go sure, although I like 100% Open Source Software.
Thank you very much for your support