Shouldn't the "modulate state" option foil
fingerprinting via ISNs since it creates random ones?
I don't think there is an acceptable way to normalize
the TCP window size...Then you'd be messing with
buffer management at the endpoints. You'd have to
proxy for that.
from man 8 pf.conf:
Much of the security derived from TCP is attributable
to how well the
initial sequence numbers (ISNs) are chosen. Some
popular stack implemen-
tations choose very poor ISNs and thus are
normally susceptible to ISN
prediction exploits. By applying a modulate
state rule to a TCP connec-
tion, pf(4) will create a high quality random
sequence number for each
connection endpoint.
The modulate state directive implicitly keeps
state on the rule and is
only applicable to TCP connections.
TRS
__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools
