On 2021/02/25 15:32, Steffen Fritz wrote: > Hello, > > Am Thu, Feb 25, 2021 at 01:21:54PM +0000 schrieb Stuart Henderson: > > > > Any difference if you change "modulate state" to "keep state"? > > as this is a (privatley used) productive system and I don't have a > testing stage I cannot test this easily. I would have to syspatch and > render the system unusable for some time. If nothing helps I can do it > but maybe someone else can check this on a test system? > > Best regards, > > Steffen >
btw, if you look at what "modulate state" does as described in pf.conf(5), using it on services hosted on the machine running PF itself doesn't make much sense in the first place, it's for protecting machines that have junk sequence number generation. OpenBSD's TCP stack already uses a good rng so there's no point in PF adjusting every single packet in the connection to replace sequence numbers/acks with something that isn't any better than it was already (and adjusting checksums to match). (if that _is_ responsible for the problem then obviously it wants fixing but I wanted to mention that on-list as this feature seems to get cargo-culted a lot where it isn't useful..)
