I've been getting hit a lot lately with syn flood attacks. I've started looking for ways to fight back and the single best way appears to be the syn proxy feature in pf. And it looks like I just have to use one word to enable it. There doesn't seem to be a hell of a lot written about the topic on the web, but what I have been able to find makes me think this is a great primary defense mechanism.
So I opened up pf.conf, and added `synproxy` to my rule that allows web and email traffic in. Here is the rule, I can post all my rules if that would be helpful (it's a pretty short file):
Unfortunately, this did not have the desired effect. All traffic on those ports was getting blocked. From what I've seen in examples, the syntax looks right. Any ideas what is causing the problem here? (As I type this, I'm setting up a dummy server I can use to play around some more)
So I opened up pf.conf, and added `synproxy` to my rule that allows web and email traffic in. Here is the rule, I can post all my rules if that would be helpful (it's a pretty short file):
Code:
pass in quick proto tcp from any to any port { 25 80 443 587 993 } flags S/SA synproxy state
Unfortunately, this did not have the desired effect. All traffic on those ports was getting blocked. From what I've seen in examples, the syntax looks right. Any ideas what is causing the problem here? (As I type this, I'm setting up a dummy server I can use to play around some more)