Hey guys, just a thought... wouldn't it make sense to add an option to "tcp-request connection reject" to disable the actual TCP RST? So, an attacker tries to (keep) open a lot of ports:
a) HAProxy (configured with rate limiting etc.) does a "tcp-request connection reject" which ends up as a TCP RST. The attacker gets the RST and immediately again b) the same as a) but the socket will be closed on the server side but no RST, nothing will be sent back to the remote side. The connections on the remote side will be kept open until timeout. Wouldn't it make sense to implement an option for b) so it can be used during major attacks or so?