I was the college intern that did ISIC for Kevin's group about 8 years ago
now. It was a good group to work for. I learned a lot and had a ton of
room to play. Accidentally took down ATT's early wireless network while
pen testing a special peering arrangement the two companies had. I did a
lot
Last, as for the signature that may be different on the same computer if
control by a webbot, is that possible? I guess not as the TCP stack
isn't changed, but anyone know for sure? I am curious on that part.
It will only change if the application does a setsockopt() and changes
the socket
Sorry, 'modulate tcp' was a thinko. I had been meaning to move
'modulate state' into the scrubber for a long time.
Reassemble TCP does aggressive TCP PAWs checks on the TCP timestamps.
It does the usual PAWs check to make sure a timestamp is not older than
the last echoed value - which is in
You're going to have to turn off 'modulate tcp'. One of the TCP
endpoints isn't following PAWs and stopped sending the TCP
Timestamps or someone is trying to blind hijack the connection.
More info - I ran a test scenario.
Here is a sample of the messages I get via syslog with set debug loud
# pfctl -nvf /etc/pf.conf /root/orig
# pfctl -novf /etc/pf.optimized /root/optimized
# diff -u /root/orig /root/optimized | less
hi there,
i would like to compare my rules with the optimized ones.
is there a simple way to make pf show the optimized rules
without applying them? just a
is there a possibility to tell pf.conf to accept malformed packets.
turn off 'reassemble tcp' in your scrub rule if you don't want to
validate the packets.
pfctl -x loud tells me:
Aug 24 09:50:43 gw-bonn /bsd: pf_normalize_tcp_stateful: Did not receive
expected RFC1323 timestamp
6 matches
Mail list logo
