At the beginning of this chapter, we discussed SYN flood attacks. We also mentioned that the SYN and FIN flags should never both be set on the same TCP packet. If they are, there's a good possibility that the packets are part of a SYN flood attack. In any case, it's not a valid packet and can be dropped safely.

Fortunately, pfSense gives us the means to block such packets. To do this, navigate to Firewall | Rules and on the WAN tab, click on the Add button with the up arrow (we want this rule to appear at the beginning of the list). Once the Edit page loads, change the Action to Block, and the Address Family to IPv4+IPv6. The other fields in the top section can be kept at their default values.

The Source and Destination can also be kept at their default values of Any. We don't care what the source of the traffic is, and we don't particularly care what the destination within our network is, either.

Scroll down to Extra Options and click on the Display Advanced button. Once you do this, scroll down to TCP Flags. We want to block packets that have the SYN and FIN flags set, so check the SYN and FIN columns in the set row. This should enable us to match the relevant packets. Once you are done, scroll down to the bottom of the page, click on the Save button, and then click on Apply Changes when the page reloads. The rule should be at the top of the table. If not, you should move it to the top.

You may have noticed that we created the rule on the WAN interface and not on any of the internal interfaces. This seems reasonable, as we are mainly concerned with SYN flood attacks coming from external networks–not with SYN flood attacks being launched from our networks. The latter case might be a concern, but unless we have reason to believe that it might happen, adding this rule to our internal interfaces will just generate a lot of work for our firewall that it doesn't need to do.