Hi,
On Fri, 6 Feb 2004, Samudra Reiher wrote:
> is there any option for pf to prevent passive os fingerprinting for the
> clients behind an obsd nat-box?
Use 'module state' option on your 'pass out' rule to randomize TCP ISN
generation and options 'reassemble tcp timeout modulation', 'random-id'
in your 'scrub' rule.
man pf.conf (scrub option):
random-id
Replaces the IP identification field with random values to compen-
sate for predictable values generated by many hosts. This option
only applies to outgoing packets that are not fragmented after the
optional fragment reassembly.
> I've tested this with http://lcamtuf.coredump.cx/p0f-help/ and got some
> interesting results of my network behind the router.
On this site, you can see this message :
"Do not submit entries if you are behind a firewall with packet
normalization (OpenBSD pf "scrub" / "modulate" option or such)."
A++ Laurent
--
Laurent Cheylus <[EMAIL PROTECTED]> OpenPGP ID 0x5B766EC2
