This could be solved with 'embryonic states' [...] Sounds interesting, and far more general than the simple hack I was envisioning. If there's some way of convincing the kernel to send the initial SYN and accept the SYN/ACK, then all that's needed (if it doesn't already exist) is a means for the userland proxy to create a state entry to simulate an established connection. In the absence of TCP connection state tracking, I image that this would be fairly easy...
Anyway, good to see people are thinking about this, but at first sight this seems to be a show stopper for me, and pushes me towards my original plan of using linux and netfilter/iptables. Hmm, I guess maybe I can live with continuing to allow all high numbered ports into my ftp server. At the moment, using linux and ipchains, I have to allow this anyway, and ultimately it's pretty safe since I know that nothing else should be listening on those ports on my ftp server. Is that what everyone else does? Maybe it's worth it for the added security that a userland proxy gives me over my outgoing ftp connections (I don't fully trust anything that does packet-level snooping of the control connection, because of the potential to get confused when commands or responses span packets). Incidentally, the other big thing I get with iptables (that pf lacks, as far as I can tell) is the ability for a rule to match on both the interface that a packet was received on and the interface that it will be forwarded out on. Whilst not a showstopper, it makes the rules a lot simpler and maintainable in the case of a large network (otherwise you essentially have to duplicate your routing table in your filtering rules in order to gain the same effect). I guess this functionality could be implemented in userland as a front-end in pfctl, assuming you only care about static routing tables... (I assume the antispoofing is done this way?) Finally (and I realise that this is probably the wrong place to ask this question) if I decide that pf is not ready for me should I be considering ipfilter as an alternative to linux? (Probably on FreeBSD since this is currently one of our infrastructure platforms.)
