Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
[SOLVED] Firewall blocks TCP RST when TCP FIN was sent already
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] Firewall blocks TCP RST when TCP FIN was sent already (Read 5819 times)
JasMan
Full Member
Posts: 175
Karma: 9
[SOLVED] Firewall blocks TCP RST when TCP FIN was sent already
«
on:
January 02, 2019, 01:37:49 pm »
Hey,
I have an issue with an TCP connection (LAN client downloads data from WAN server). I did some troubleshooting and found out, that a packet with RST flag set is blocked by the firewall (I guess), when a packet with FIN flag set was send before in the TCP session.
An example:
RST packet blocked
Session between Client and Server is up and running
Client decides to close the session and sends an FIN/ACK packet to the server
Server apparently ignores the FIN/ACK packet and still sends data packets to the client
Client sends an RST packet to the server, which is blocked by the OPNsense aplliance. I can see the packet in the packet trace on the LAN site but not on the WAN site.
Server still sends data packets, but the client don't acknowledge them. He stops when the clients receive window is "full".
RST packet is not blocked
Session between Client and Server is up and running
Client decides to close the session and sends an RST packet to the server
Server sends ACK packet and stops sending data
Is this a normal behaviour?
I think my issue has to do with this behaviour, because when the RST packet is blocked the session state remains open on the server. When a certain limit has reached, I guess the server will not allow any more connections from/to my IP address.
Jas Man
«
Last Edit: January 12, 2019, 02:25:10 pm by JasMan
»
Logged
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
JasMan
Full Member
Posts: 175
Karma: 9
Re: Firewall blocks TCP RST when TCP SYN was sent already
«
Reply #1 on:
January 11, 2019, 09:48:25 pm »
Mmh, it looks like the new version 18.7.10 solved this problem.
Logged
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: [SOLVED] Firewall blocks TCP RST when TCP SYN was sent already
«
Reply #2 on:
January 12, 2019, 01:57:55 pm »
Hmm, strange fix. Maybe the reboot did it?
Cheers,
Franco
Logged
JasMan
Full Member
Posts: 175
Karma: 9
Re: [SOLVED] Firewall blocks TCP RST when TCP FIN was sent already
«
Reply #3 on:
January 12, 2019, 02:33:32 pm »
I' m not totally sure but I think I already did a reboot before the update.
BTW: I saw that the title of my topic was wrong. I've changed it ("...TCP SYN..." to "...TCP FIN...")
Logged
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: [SOLVED] Firewall blocks TCP RST when TCP FIN was sent already
«
Reply #4 on:
January 13, 2019, 11:09:02 am »
Ok, I'll keep this in mind. It might have to do with a state being stuck in the previous "block" state. In some cases state tracking should be turned off or set to sloppy which can be done per rule under advanced settings.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
[SOLVED] Firewall blocks TCP RST when TCP FIN was sent already