> Is there a way with pf to "wash" these ambiguities (window size, syn packet > size, etc) away so that all outgoing TCP packets look the same? Maybe even > set them to user-defined variables, as we already can with 'max-mss' and > 'min-ttl'?
Use the syn-proxy. It crafts all of the SYN's by hand. It is still possible to fingerprint based on things like the retransmission timers but that is much harder and they'd be better off looking at HTTP User-Agent discrepancies. .mike
