pf synproxy state

[dick hoogendijk]

I have a pf.conf rule:

pass in on $ext_if proto tcp from any to $server port 80 \
   flags S/SA synproxy state

It should be safer for the webserver (so they say)..

But after a few hours of no connection I began to wonder and changed
the "synproxy state" back to "keep state" (things started to work
again).

I googled and found msgs about a non working synproxy on 5.x, but 6.0
should work (they say).

Has anybody some experience in this matter?
Does synproxy work?
Do I do something wrong? (overlooked something)?

-- 
dick -- http://nagual.st/ -- PGP/GnuPG key: F86289CE
++ Running FreeBSD 6.0 ++ The Power to Serve
+ Nai tiruvantel ar vayuvantel i Valar tielyanna nu vilja