pf synflood mode: the proxy problem


TCP stack sends back an RST when port closed, backlog full, ...
connection never becomes established

synflood mode: no RST at all or in response to 1st ACK
connection has been established from client's PoV

noteworthy case: Round Robin DNS moving on to next one vs not
RRDNS isn't THAT common
all synproxy-like implementations share that problem
only when we're under attack