SYN proxy

protect real server from SYN flood attacks
similar effect as SYN cookies, but requires no change of packets at all (fully transparent)
use existing state entry and sequence number modulators (no additional memory cost)
e.g. pass in on $ext_if proto tcp from any to any port 80 -> flags S/SA synproxy state
external client sends SYN (with client ISN)
pf swallows SYN, generates SYN+ACK (random ISN) to client
client sends ACK, pf handshakes with server, gets server ISN
now store ISN difference in existing sequence number modulators, and forward transparently from this point on
no information stored in packets (as with cookies), no degradation of ISN randomness (actually, improvement)