If you have a default deny firewall policy, but allow incoming synproxy'd http connections, are the packets that are generated and sent out by pf (to verify the existence of the initial syn's source IP) treated as part of the current stream on the client side of the connection? In other words, if they are behind a firewall that keeps state on outgoing connections but drops all other incoming, will it drop the packet generated by the firewall, causing the firewall to never continue the initial connection and the site to be unviewable? Or are the packets just part of the client's stream, too, and acknowledged? I want to apologize for my ignorance and I thank all responses in advance.
Adam Wenzel
