Hello,
I have a question about pf regarding syncookie and synproxy.
On OpenBSD 6.7, man 5 pf.conf states the following under OPTIONS:
set syncookie never | always | adaptive
. . . When syncookies are active, pf will answer each and every incoming
TCP SYN with a syncookie SYNACK, without allocating any resources.
Upon reception of the client's ACK in response to the syncookie
SYNACK, pf will evaluate the ruleset and create state if the ruleset
permits it, complete the three way handshake with the target host,
and continue the connection with synproxy in place.
Does this mean that:
** Syncookies are used to prevent the state table from being exhausted,
while synproxy is used to prevent the TCP/IP stack resources from being
exhausted ?
** Syncookies may be used in addition to synproxy ?
** Both are used to protect against resource exhaustion in TCP SYN floods ?
Thanks,
- J
