I have added some SYNFLOOD proof packet filter rules for beastie.frontfree.net. Interestingly, the filter options seems to “forge” beastie.frontfree.net to be an OpenBSD box.

The rules are here:

pass in proto tcp from any to any port www flags S/SA synproxy state
pass in proto tcp from any to any port smtp flags S/SA synproxy state
pass in proto tcp from any to any port pop3s flags S/SA synproxy state
pass in proto tcp from any to any port imaps flags S/SA synproxy state
pass in proto tcp from any to any port domain flags S/SA synproxy state
pass in proto tcp from any to any port ssh flags S/SA synproxy state
pass in proto tcp from any to any port cvsup flags S/SA synproxy state
pass in proto tcp from any to any port cvspserver flags S/SA synproxy state

packet filter (a.k.a., pf(4) for FreeBSD, which is ported from OpenBSD) will act as a proxy between outside world and the server. When SYN is sent to beastie.frontfree.net, a handshake process will be done by pf instead of the TCP/IP stack itself. This brings several benefits:

o The IP ID will be the random algorithm from OpenBSD’s
o SYNFLOOD will not have effect because they are not able to have successful handshakes.
o It is not possible to detect the OS I am using.