#
# block all TCP packets with only the SYN flag set (this is the first
# packet sent to establish a connection) out of the SYN-ACK pair.
block in proto tcp from any to any flags S/SA