On 2021-10-10, Peter N. M. Hansteen <pe...@bsdly.net> wrote: > On Sun, Oct 10, 2021 at 02:48:04PM +0300, Barbaros Bilek wrote: >> Hello Peter, >> >> I think you suggest me some work around like max-src-conn-rate, right? > > I would think both the rate and the number of simultaneous connections could > be relevant here, yes.
max-src-conn-rate is only for established TCP connections. nc -z type scans will handshake so it would pick up on those, but most scan methods used by nmap and others won't complete a handshake so it won't trigger in those cases. (Additionally I am led to believe that source-track is not really the best idea if you want good performance out of PF). Probably the best way to hide which ports are really open on a machine is to answer connections on *every* port, which could be done with "pass in on <iface> proto tcp to self synproxy state", it's definitely a bodge though!
