From d771abfc52454abb84c5e5d121e50eb3a291843a Mon Sep 17 00:00:00 2001
From: bol-van <none@none.none>
Date: Sat, 9 Mar 2024 12:56:36 +0300
Subject: [PATCH] BSD use SYN,ACK filter to catch autottl

---
 docs/bsd.eng.md | 16 ++++++++++------
 docs/bsd.txt    | 16 ++++++++++------
 docs/bsdfw.txt  |  8 +++++++-
 3 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/docs/bsd.eng.md b/docs/bsd.eng.md
index a5598ed..1750fba 100644
--- a/docs/bsd.eng.md
+++ b/docs/bsd.eng.md
@@ -354,19 +354,23 @@ table <zapret> file "/opt/zapret/ipset/zapret-ip.txt"
 table <zapret-user> file "/opt/zapret/ipset/zapret-ip-user.txt"
 table <nozapret> file "/opt/zapret/ipset/zapret-ip-exclude.txt"
 pass out quick on em0 inet  proto tcp to   <nozapret> port {80,443}
-pass in  quick on em0 inet  proto tcp from <zapret> port {80,443} flags SA/SA divert-packet port 989 no state
-pass in  quick on em0 inet  proto tcp from <zapret> port {80,443} no state
-pass out quick on em0 inet  proto tcp to   <zapret> port {80,443} divert-packet port 989 no state
-pass in  quick on em0 inet  proto tcp from <zapret-user> port {80,443} no state
-pass out quick on em0 inet  proto tcp to   <zapret-user> port {80,443} divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <nozapret> port {80,443}
+pass in  quick on em0 inet  proto tcp from <zapret>  port {80,443} flags SA/SA divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret>  port {80,443} no state
+pass out quick on em0 inet  proto tcp to   <zapret>  port {80,443} divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret-user>  port {80,443} flags SA/SA divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret-user>  port {80,443} no state
+pass out quick on em0 inet  proto tcp to   <zapret-user>  port {80,443} divert-packet port 989 no state
 table <zapret6> file "/opt/zapret/ipset/zapret-ip6.txt"
 table <zapret6-user> file "/opt/zapret/ipset/zapret-ip-user6.txt"
 table <nozapret6> file "/opt/zapret/ipset/zapret-ip-exclude6.txt"
 pass out quick on em0 inet6 proto tcp to   <nozapret6> port {80,443}
+pass in  quick on em0 inet6 proto tcp from <nozapret6> port {80,443}
 pass in  quick on em0 inet6 proto tcp from <zapret6> port {80,443} flags SA/SA divert-packet port 989 no state
 pass in  quick on em0 inet6 proto tcp from <zapret6> port {80,443} no state
 pass out quick on em0 inet6 proto tcp to   <zapret6> port {80,443} divert-packet port 989 no state
-pass in  quick on em0 inet6 proto tcp from <zapret6-user> port {80,443} no state
+pass in  quick on em0 inet6 proto tcp from <zapret6-user>  port {80,443} flags SA/SA divert-packet port 989 no state
+pass in  quick on em0 inet6 proto tcp from <zapret6-user>  port {80,443} no state
 pass out quick on em0 inet6 proto tcp to   <zapret6-user> port {80,443} divert-packet port 989 no state
 ```
 
diff --git a/docs/bsd.txt b/docs/bsd.txt
index 1053801..deb9234 100644
--- a/docs/bsd.txt
+++ b/docs/bsd.txt
@@ -302,19 +302,23 @@ table <zapret> file "/opt/zapret/ipset/zapret-ip.txt"
 table <zapret-user> file "/opt/zapret/ipset/zapret-ip-user.txt"
 table <nozapret> file "/opt/zapret/ipset/zapret-ip-exclude.txt"
 pass out quick on em0 inet  proto tcp to   <nozapret> port {80,443}
-pass in  quick on em0 inet  proto tcp from <zapret> port {80,443} flags SA/SA divert-packet port 989 no state
-pass in  quick on em0 inet  proto tcp from <zapret> port {80,443} no state
-pass out quick on em0 inet  proto tcp to   <zapret> port {80,443} divert-packet port 989 no state
-pass in  quick on em0 inet  proto tcp from <zapret-user> port {80,443} no state
-pass out quick on em0 inet  proto tcp to   <zapret-user> port {80,443} divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <nozapret> port {80,443}
+pass in  quick on em0 inet  proto tcp from <zapret>  port {80,443} flags SA/SA divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret>  port {80,443} no state
+pass out quick on em0 inet  proto tcp to   <zapret>  port {80,443} divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret-user>  port {80,443} flags SA/SA divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret-user>  port {80,443} no state
+pass out quick on em0 inet  proto tcp to   <zapret-user>  port {80,443} divert-packet port 989 no state
 table <zapret6> file "/opt/zapret/ipset/zapret-ip6.txt"
 table <zapret6-user> file "/opt/zapret/ipset/zapret-ip-user6.txt"
 table <nozapret6> file "/opt/zapret/ipset/zapret-ip-exclude6.txt"
 pass out quick on em0 inet6 proto tcp to   <nozapret6> port {80,443}
+pass in  quick on em0 inet6 proto tcp from <nozapret6> port {80,443}
 pass in  quick on em0 inet6 proto tcp from <zapret6> port {80,443} flags SA/SA divert-packet port 989 no state
 pass in  quick on em0 inet6 proto tcp from <zapret6> port {80,443} no state
 pass out quick on em0 inet6 proto tcp to   <zapret6> port {80,443} divert-packet port 989 no state
-pass in  quick on em0 inet6 proto tcp from <zapret6-user> port {80,443} no state
+pass in  quick on em0 inet6 proto tcp from <zapret6-user>  port {80,443} flags SA/SA divert-packet port 989 no state
+pass in  quick on em0 inet6 proto tcp from <zapret6-user>  port {80,443} no state
 pass out quick on em0 inet6 proto tcp to   <zapret6-user> port {80,443} divert-packet port 989 no state
 ------------
 pfctl -f /etc/pf.conf
diff --git a/docs/bsdfw.txt b/docs/bsdfw.txt
index 21b55c4..4c040f1 100644
--- a/docs/bsdfw.txt
+++ b/docs/bsdfw.txt
@@ -85,15 +85,21 @@ table <zapret> file "/opt/zapret/ipset/zapret-ip.txt"
 table <zapret-user> file "/opt/zapret/ipset/zapret-ip-user.txt"
 table <nozapret> file "/opt/zapret/ipset/zapret-ip-exclude.txt"
 pass out quick on em0 inet  proto tcp to   <nozapret> port {80,443}
+pass in  quick on em0 inet  proto tcp from <nozapret> port {80,443}
+pass in  quick on em0 inet  proto tcp from <zapret>  port {80,443} flags SA/SA divert-packet port 989 no state
 pass in  quick on em0 inet  proto tcp from <zapret>  port {80,443} no state
 pass out quick on em0 inet  proto tcp to   <zapret>  port {80,443} divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret-user>  port {80,443} flags SA/SA divert-packet port 989 no state
 pass in  quick on em0 inet  proto tcp from <zapret-user>  port {80,443} no state
 pass out quick on em0 inet  proto tcp to   <zapret-user>  port {80,443} divert-packet port 989 no state
 table <zapret6> file "/opt/zapret/ipset/zapret-ip6.txt"
 table <zapret6-user> file "/opt/zapret/ipset/zapret-ip-user6.txt"
 table <nozapret6> file "/opt/zapret/ipset/zapret-ip-exclude6.txt"
 pass out quick on em0 inet6 proto tcp to   <nozapret6> port {80,443}
-pass in  quick on em0 inet6 proto tcp from <zapret6>  port {80,443} no state
+pass in  quick on em0 inet6 proto tcp from <nozapret6> port {80,443}
+pass in  quick on em0 inet6 proto tcp from <zapret6> port {80,443} flags SA/SA divert-packet port 989 no state
+pass in  quick on em0 inet6 proto tcp from <zapret6> port {80,443} no state
 pass out quick on em0 inet6 proto tcp to   <zapret6> port {80,443} divert-packet port 989 no state
+pass in  quick on em0 inet6 proto tcp from <zapret6-user>  port {80,443} flags SA/SA divert-packet port 989 no state
 pass in  quick on em0 inet6 proto tcp from <zapret6-user>  port {80,443} no state
 pass out quick on em0 inet6 proto tcp to   <zapret6-user> port {80,443} divert-packet port 989 no state