Am 18.02.2026 um 10:51 schrieb Luca Di Gregorio: > Hi, I developed a script to try block IPs that are potentially doing SYN > Flood to my https server. > > These are the configurations in my /etc/pf.conf: > > pass in on egress proto tcp from any to (egress:0) port = 443 flags S/SA > synproxy state > block return log on egress proto tcp from <bad_hosts> to (egress:0) port > = 443 > > Every minute I run the script: > > 1) > # pfctl -ss | grep -w tcp | grep -w 443 | grep -w PROXY > > all tcp <my_server>:443 <- <potential_bad_host>:45031 PROXY:SRC > > 2) > I put the <potential_bad_host> in a local database, and I increment the > number of occurrences the PROXY:SRC appears.
What issue are you trying to solve? This looks like you are over complicating things. Did you already try to fiddle with timeouts? Like: set timeout tcp.opening 1 Beware that may lead to problems when most of legit connection attempts come from e.g. mobile devices throttled to 64kBit/s (ISDN). synproxy state should do the job without requiring any more complexity around it. All of this is hard to answer without knowing any numbers demonstrating the issue you'd like to solve. Regards, -- Christian
