I don't think 'modulate state' foils OS fingerprinting. If you look at p0f (http://lcamtuf.coredump.cx/p0f.shtml), you'll see that it uses things like window size, ttl, SYN packet size, and some OS specific quirks to identify OS's by their TCP SYN packet. (I think this is reliable, as OpenBSD uses the same OS fingerprint file as p0f, I believe) Since 'modulate state' doesn't touch any of these, as far as I know, it doesn't help prevent OS detection. It does greatly increase security, but doesn't aide in preventing passive OS fingerprinting.
----- Original Message ----- From: "Todd Stratton" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, February 20, 2004 5:31 PM Subject: Re: Remotely Counting Machines Behind Nat > Shouldn't the "modulate state" option foil > fingerprinting via ISNs since it creates random ones? > I don't think there is an acceptable way to normalize > the TCP window size...Then you'd be messing with > buffer management at the endpoints. You'd have to > proxy for that. > > from man 8 pf.conf: > Much of the security derived from TCP is attributable > to how well the > initial sequence numbers (ISNs) are chosen. Some > popular stack implemen- > tations choose very poor ISNs and thus are > normally susceptible to ISN > prediction exploits. By applying a modulate > state rule to a TCP connec- > tion, pf(4) will create a high quality random > sequence number for each > connection endpoint. > > The modulate state directive implicitly keeps > state on the rule and is > only applicable to TCP connections. > > TRS > > __________________________________ > Do you Yahoo!? > Yahoo! Mail SpamGuard - Read only the mail you want. > http://antispam.yahoo.com/tools
