pf synflood mode: 1st ACK


verify syncookie
fail -> drop

consult ruleset
block: silent drop or return RST depending on ruleset

do the 3WHS with the destination host
code already there for synproxy

set up the sequence number modulator
already there, needs the delta between our and dest ISN