On 2018/09/19 10:00, Tim Jones wrote: > The reason I've got "syncookies always" is because there are various > internet exposed services (e.g. webservers) sitting behind this PF > instance, and as far as I can gather syncookies is recommended as a good > thing (tm) for these sort of applications ? This PF instance is very > much a majority out->in instance.
Oh, also: syncookies have been used for years as an "on host" mechanism for syn protection on some OS (as part of the TCP stack, not part of the firewall/filter) - advice you get about using them in that situation isn't directly applicable to using them on an intermediate firewall. Maybe we need "(intended for testing only)" next to "syncookies always" in PF docs ..
