On Wed, Feb 07, 2007 at 04:47:00AM +0800, frank hu wrote: > So my question is why PF create state while the first 3-way handshakes > didn't complete? What is right usage of synproxy rule to protect port > from DoS attack?
That's what synproxy does, by design. It does protect the recipient from seeing packets (and allocating resources) before the handshake is complete, but at the cost of itself allocating some resources (the state entry). The state entry will not pass packets through to the real recipient before the handshake is complete, but merely holds the information needed to verify the handshake with the client is valid. Daniel