I'm using synproxy in my pf.conf:
pass in on em0 proto tcp from any to any port = XXXX flags S/SA \
synproxy state (source-track rule, max-src-conn 36, if-bound)
This basically limits the number of TCP connections ("something in the
pf state table") from a single IP address to 36.
Now if no process is actually listening on port XXXX, and when a remote
host tries to connect to port XXXX, they never get an RST response
(I _believe_ that this is what's going on).
For example, if port XXXX is port 80 for http, and I point Firefox to
port 80 (when no Apache is running), I get the hourglass for a minute
after which "Connection Interrupted
The connection to the server was reset while the page was loading" in
Firefox.
When I point Firefox to a port that is _not_ in the synproxy rule and
when no service is running on that port, Firefox responds immediately
with "Failed to Connect
Firefox can't establish a connection to the server...".
So whatever the TCP packet is that means "this port is not listening",
it's not being sent by the synproxy when there is no service listening
on that port.
Is there a way to get synproxy to send the RST (I _think_ that's what it
is called) when no service is running on that port? Or is this a feature?
Or is there a reason it behaves this way? Intentional, bug, oversight,
or missing modifier to my rule?
Thanks.
