Modulate state randomizes the sequence number generation. Sequence number generation technique and randomness is a dead giveaway for many Oses.
So modulate state, for those OSes, is helps them look less like the OS they are, but this is NOT the purpose of modulate state. The purpose of modulate state is that poorly random sequence number generation is a vulnerability that can enable a hack to take over, close or spoof a TCP connection. In reality, there are many, many, many other ways to detect the OS, and properly randomising the seq. numbers only prevents one way. Modulate state is only recommended 'where required' because of the extra work and state that is required per connection, however to the credit of the OpenBSD team, I would recommend putting modulate state on all connections as it has been (mathematically) proved that OpenBSD has the best sequence number generation of any other OS, so the 'better' Oses can be raised up to the level of the best, OpenBSD :-) Dom - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Tel. 07855 805 271 http://www.devitto.com mailto:[EMAIL PROTECTED] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of A. Wright Sent: Wednesday, December 24, 2003 4:06 PM To: [EMAIL PROTECTED] Subject: Re: About using reassemble tcp/modulate state I have a question about the statement below. Does the use of 'modulate state' really disguise the OS of computers behind your OpenBSD NAT/pf firewall box? I have not found this to be the case, but I don't know if this is because I'm using the FreeBSD port or not. Can someone clairify? Thanks for your time. Aaron > The sequence number generation on many OSes is poor, allowing for > easier attacks, and often OS guessing. With keep state PF keeps track > of the 'stage' of connection setup/teardown and also the CORRECT > sequence numbers midway through a connection, blocking inappropriate > packets. With modulate state PF translates the sequence numbers for > ones that are more random, making insertion and OS guessing more > difficult (in fact the OS will looks like the best one out there - > OpenBSD :-) )
