OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: mitchskis on February 04, 2018, 03:59:06 pm
-
Is it possible to configure OPNsense to send TCP RST packets when the firewall state or NAT state table drops a session? For example, when expiration time arrives it'd be best that both sides of the connection to receive a TCP RST packets so they can release resources and/or generate useful error messages.
-
That's the difference beteen block and reject actions of rules. Here's the GUI help text:
Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded.
Cheers,
Franco
-
Thanks, Franco, for point me in the right direction. Those block/reject setting only seem to apply to unestablished traffic.
Once a connection is established, it's my understanding that OPNsense keeps track of this connection twice – once in the Firewall States tables and once in the NAT table.
If an established connection has been quiet for a period of time and its expiration time arrives, OPNsense silently drops the connection. I'm seeking a knob that would change this behaviour to flood a TCP RST or ICMP port unreachable for UDP to both ends of the connection so that applications are aware of their connection has been interrupted.
-
Hi mitchskis,
I'm not aware of such a feature. The states are silently dropped when they expire. There is no "passive" reject, only in interaction with an incoming packet.
Cheers,
Franco