On Sat, Dec 13, 2003 at 01:51:49AM +0200, Toni Riekkinen wrote: > What is the difference between using "scrub all reassemble tcp" and using > "modulate state" in incoming traffic rules, i.e for webserver in DMZ:
'modulate state' applies to sequence numbers (th_seq, th_ack), which are a very basic part of TCP. When a connection is established each peer should choose a random initial sequence number, which then gets increased with the amount of data sent. It's crucial for security that these initial sequence numbers are unpredictable for outside parties, otherwise attackers can inject data into the connection or stall or reset it. Some OS' TCP/IP stacks are known to generate weak (non-random, predictable) initial sequence numbers, and modulate state will compensate for them by adding/subtracting a random modulator value. 'reassemble tcp' enables multiple normalization features for TCP packets, one of them is 'timeout modulation'. It's a similar scheme, but applied to timestamp TCP options. Such timestamps need not be random for security reasons, but non-random values can disclose your uptime or number of hosts (behind a NAT gateway), so you may wish to modulate them to not disclose that information. For instance, netcraft.com shows uptimes for certain hosts because they don't use random timestamps, and some ISPs prohibit use of multiple (NATed) hosts, analyzing timestamps to detect violations. So, these are two different and independant things. You can enable either of them, both or none. All of this is detailed in pf.conf(5), BTW. Daniel
