Author Topic: Flood TCP RST (Read 4202 times)

mitchskis · « **on:** February 04, 2018, 03:59:06 pm »

Is it possible to configure OPNsense to send TCP RST packets when the firewall state or NAT state table drops a session? For example, when expiration time arrives it'd be best that both sides of the connection to receive a TCP RST packets so they can release resources and/or generate useful error messages.

franco · « **Reply #1 on:** February 05, 2018, 08:59:39 am »

That's the difference beteen block and reject actions of rules. Here's the GUI help text:

Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded.

Cheers,
Franco

mitchskis · « **Reply #2 on:** March 02, 2018, 04:25:57 am »

Thanks, Franco, for point me in the right direction. Those block/reject setting only seem to apply to unestablished traffic.

Once a connection is established, it's my understanding that OPNsense keeps track of this connection twice – once in the Firewall States tables and once in the NAT table.

If an established connection has been quiet for a period of time and its expiration time arrives, OPNsense silently drops the connection. I'm seeking a knob that would change this behaviour to flood a TCP RST or ICMP port unreachable for UDP to both ends of the connection so that applications are aware of their connection has been interrupted.

franco · « **Reply #3 on:** March 02, 2018, 02:29:29 pm »

Hi mitchskis,

I'm not aware of such a feature. The states are silently dropped when they expire. There is no "passive" reject, only in interaction with an incoming packet.

Cheers,
Franco

Author Topic: Flood TCP RST (Read 4202 times)

mitchskis

Flood TCP RST

franco

Re: Flood TCP RST

mitchskis

Re: Flood TCP RST

franco

Re: Flood TCP RST