SYN PROXY
By default, pf(4) passes packets that are part of a tcp(4) handshake
between the endpoints. The synproxy state option can be used to cause
pf(4) itself to complete the handshake with the active endpoint, perform
a handshake with the passive endpoint, and then forward packets between
the endpoints.
No packets are sent to the passive endpoint before the active endpoint
has completed the handshake, hence so-called SYN floods with spoofed
source addresses will not reach the passive endpoint, as the sender can't
complete the handshake.
The proxy is transparent to both endpoints, they each see a single con-
nection from/to the other endpoint. pf(4) chooses random initial
sequence numbers for both handshakes. Once the handshakes are completed,
the sequence number modulators (see previous section) are used to trans-
late further packets of the connection. synproxy state includes modulate
state.
Rules with synproxy will not work if pf(4) operates on a bridge(4).
Example:
pass in proto tcp from any to any port www synproxy state