BSD use SYN,ACK filter to catch autottl

docs/bsdfw.txt

@@ -27,9 +27,10 @@ ipfw add 100 fwd ::1,988 tcp from any to any 80,443 proto ip6 recv em1
 
 ipfw delete 100
 ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg xmit em0
+; required for autottl mode
+ipfw add 100 divert 989 tcp from any 80,443 to any tcpflags syn,ack in recv em0
+; udp
 ipfw add 100 divert 989 udp from any to any 443 out not diverted not sockarg xmit em0
-# this is required for autottl but very bad, all incoming traffic will be diverted, no way to limit like in linux (connbytes)
-ipfw add 100 divert 989 tcp from any 80,443 to any in not diverted not sockarg recv em0
 
 ipfw delete 100
 ipfw add 100 allow tcp from me to table\(nozapret\) 80,443
@@ -71,6 +72,7 @@ pfctl -f /etc/pf.conf
 
 ; dvtws works both for routed and local
 
+pass in  quick on em0 proto tcp from port {80,443} flags SA/SA divert-packet port 989 no state
 pass in  quick on em0 proto tcp from port {80,443} no state
 pass out quick on em0 proto tcp to   port {80,443} divert-packet port 989 no state
 pfctl -f /etc/pf.conf