"Paul D. Robertson" wrote: > > What I meant by "both sides" is do you also randomize the server's > sequence number going back to the client (first ACK), not just the > client's ISN going to the server.
Okay, we're probably just confusing eachother with fuzzy terminology here. I'll try it in pseudocode. Open state: STATE.offs1 = yarrow_uint32() STATE.offs2 = yarrow_uint32() Packet from originator to responder: TCPHDR.SEQ += STATE.offs1 TCPHDR.ACK -= STATE.offs2 Packet from responder to originator: TCPHDR.SEQ += STATE.offs2 TCPHDR.ACK -= STATE.offs1 > Is there an "off" switch for performance if the firewall just > sits in front of a Web farm for instance? Nope. But that has never been a problem. Removing the randomization would buy you very little in performance and has the potential to cost you a whole lot more in security. Anyway, for rules that specify SYN relaying, we don't have much choice but to generate our own sequence numbers and then do offsetting once we learn what the server is actually using. Besides, you're supposed to be toting proxies here, remember? You don't get to speak about performance in this thread :) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com Ynlre 8 frphevgl fbyhgvbaf: uggc://yneg.onqs00q.bet _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
