yep overload would be fine but it requires max-src-conn or max-src-conn-rate. As the connection is not established (tcp handshake not done yet), even max-src-conn 1 wouldnt trigger it, so it is unadequate for what i want to achieve. For the port scans, completing the handshake is overhead, sending syn and waiting for syn-ack is more then enough. Also there is no listener running on those ports so the handshake is never established, the synproxy would be an option but not really usefull...