Kudos to the PF developers. Here is an interesting metric from a
production /16 network, running OpenBSD 3.6:
96% of blatant TCP port-scan related traffic stopped by pf's
max-src-state feature.
After tuning pf's max-src-states for our environment and "normal"
traffic loads, we measured how many TCP ports were scanned from
off-site. During a one day period, we had 483,474 TCP ports that were
attempted to be scanned by Internet-based hosts, only 19,911 made it
through, which amounts to a 96% reduction in the number of ports, while
at the same time not having any negative effects on normal traffic.
Here is an excerpt from our pf rules:
pass in on $ext_if from ! $int_net to $int_net label "Incoming on
external iface" keep state
block in on $ext_if proto tcp from any to any
pass in on $ext_if proto tcp from ! $int_net to $int_net flags S/SA keep
state (max-src-states 200, tcp.first 300, t
cp.opening 300)
