Thanks for the response I observe that I receive not hand-shaked SYNs from entire networks X.X.0.0/16 or /24. The rate per second per single IP is slow. In this case, max-src-conn and max-src-conn-rate don't work, it means that PF continues to accept not hand-shaked SYNs from IPs belonging to those networks.
My script blocks those IPs. They could be "good guys" faked by who is actually doing SYN flood, but I want to block them assuming the risk, and flushing the <bad_hosts> pf table under certain circumstancies. On Thu, 19 Feb 2026 at 09:22, Christian Schulte <[email protected]> wrote: > Am 18.02.2026 um 10:51 schrieb Luca Di Gregorio: > > Hi, I developed a script to try block IPs that are potentially doing SYN > > Flood to my https server. > > > > These are the configurations in my /etc/pf.conf: > > > > pass in on egress proto tcp from any to (egress:0) port = 443 flags S/SA > > synproxy state > > block return log on egress proto tcp from <bad_hosts> to (egress:0) port > > = 443 > > > > Every minute I run the script: > > > > 1) > > # pfctl -ss | grep -w tcp | grep -w 443 | grep -w PROXY > > > > all tcp <my_server>:443 <- <potential_bad_host>:45031 PROXY:SRC > > > > 2) > > I put the <potential_bad_host> in a local database, and I increment the > > number of occurrences the PROXY:SRC appears. > > What issue are you trying to solve? This looks like you are over > complicating things. Did you already try to fiddle with timeouts? Like: > > set timeout tcp.opening 1 > > Beware that may lead to problems when most of legit connection attempts > come from e.g. mobile devices throttled to 64kBit/s (ISDN). > > synproxy state should do the job without requiring any more complexity > around it. > > All of this is hard to answer without knowing any numbers demonstrating > the issue you'd like to solve. > > Regards, > -- > Christian > >
