TCP SYN proxy. Instead of 'keep state' or 'modulate state', one can use

'synproxy state' for TCP connections. pf will complete the TCP handshake
with the active endpoint before passing any packets to the passive end-
point, preventing spoofed SYN floods from reaching the passive endpoint.

No additional memory requirements, no cookies needed, random initial
sequence numbers, uses the existing sequence number modulators to translate
packets after the handshakes.

ok frantzen@

0 files changed, 0 insertions, 0 deletions