[ If playing with any of this the first thing to check is to read the pf.conf man page ]
TCP connections have sequence numbers to prevent loss/duplication of data by the network, or insertion of data by a 3rd party. The sequence number generation on many OSes is poor, allowing for easier attacks, and often OS guessing. With keep state PF keeps track of the 'stage' of connection setup/teardown and also the CORRECT sequence numbers midway through a connection, blocking inappropriate packets. With modulate state PF translates the sequence numbers for ones that are more random, making insertion and OS guessing more difficult (in fact the OS will looks like the best one out there - OpenBSD :-) ) synproxy state is the next 'step' in this protection, as PF actually does the initial TCP handshake (SYN,SYN-ACK,-ACK) without involving the server, and only forwarding the (modulated) connection setup packets once the client complete the 3-way handshake with PF. Fydor's wrote and excellent paper on the whole thing, see http://insecure.org/nmap for the link. Dom - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Tel. 07855 805 271 http://www.devitto.com mailto:[EMAIL PROTECTED] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Toni Riekkinen Sent: Friday, December 12, 2003 11:52 PM To: [EMAIL PROTECTED] Subject: About using reassemble tcp/modulate state I've read from archives that there has been some problems with using i.e: scrub on $ext_if all random-id reassemble tcp Is it safe to use this, or will I get some sort of connection problems from different clients (Suse, Windows..)? I can't use it in production environment if not knowing for sure and I just don't know how to test it. I'm using OpenBSD 3.4 as transparent bridge to protect DMZ (with email and webservers), and I'd like the idea about protecting my servers with timeout modulation to make it kind of harder to find out what OS's I'm using behind my fw. What is the difference between using "scrub all reassemble tcp" and using "modulate state" in incoming traffic rules, i.e for webserver in DMZ: pass in quick on $ext_if proto tcp from any to $webserver port 80 \ flags S/SA modulate state Best regards, ++Toni
