is it possible to apply a filter rule based on tcp options? I saw there's the possibility to do that with tcp flags
I ask this since I saw a lot of syn flood comes with no options at all, since nowadays basically no one start a tcp handshacke without at least one of SACK, win scale, ECN, and such, it would be interesting to get rid of them
I tried the synproxie state type, but it's not a good choice in my opinion, I also limited number of SYN in a timewindows and it works quite well, issue is is so simple for a tool to change source address, making syn flooding too easy
There's matching for IP options in pf.conf(5), but unfortunately nothing for TP as far as I can see.
https://www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5&n=1
Cheers,
Franco