Hi,
I think I understand "modulate state" but I'd like to run my reasoning past the list for correction or criticism.
If I have a rule
pass out on $ext_if proto tcp modulate state
then the tcp ISNs on packets leaving my firewalled network will be replaced
with better ones, making my connection less vulnerable to hijacking by
guessing the ISN.
If I have a rule
pass in on $ext_if proto tcp modulate state
then tcp packets entering my firewalled network will have their ISNs replaced.
This protects against sequence number attacks against tcp connections as they
cross my DMZ or local network, but naturally can't do anything about the portion
of the connection traversing the public internet. Replies to the incoming tcp
packet will have their ISNs replaced with better ones, protecting the server
(inside firewall) to client half of the connection over the public internet.
Is this correct?
Best Wishes, Greg
Gregory Wright Antiope Associates LLC 18 Clay Street Fair Haven, New Jersey 07704
[EMAIL PROTECTED]
