On Tue, 9 Apr 2002, Mikael Olsson wrote: > > Is it just ISNs that get randomized, or do (either product) they also > > track and rewrite all sequence numbers? Is it for both sides of the > > connection (in either case)? > > If you modify the sequence numbers in one direction, you'd darn better > keep modifying them the same way in that direction, and also the ACKs > in the reverse direction, or things break horribly :)
What I meant by "both sides" is do you also randomize the server's sequence number going back to the client (first ACK), not just the client's ISN going to the server. > I can't answer for the PIX, but we randomize the ISNs (and consequent > ACKs) in both directions (using one offset for each). Doing it that way > was easier (and safer) than just doing it in one direction. Is there an "off" switch for performance if the firewall just sits in front of a Web farm for instance? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
