pf & outbound modulate state

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Craig Skinner <craig.skinner@...>

To: <misc@...>

Subject: pf & outbound modulate state

Date: Saturday, September 15, 2007 - 10:00 am

Doing a pf.conf tidy up. From the pf.conf man page on 4.1:

STATE MODULATION

Much of the security derived from TCP is attributable to how well the
initial sequence numbers (ISNs) are chosen. Some popular stack implemen
tations choose very poor ISNs and thus are normally susceptible to ISN
prediction exploits. By applying a modulate state rule to a TCP connec-
tion, pf(4) will create a high quality random sequence number for each
connection endpoint.

Therefore, because OBSD uses quality ISNs, there is no point in
modulating state on outbound packets that ORIGINATE (i.e. not passed
through) an OBSD host. No?
--
Craig Skinner | http://www.kepax.co.uk | aye-right@kepax.co.uk

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

pf & outbound modulate state, Craig Skinner, (Sat Sep 15, 10:00 am)

Re: pf & outbound modulate state, Henning Brauer, (Sat Sep 15, 5:57 pm)


linux-kernel:
Tarkan Erimer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Greg Kroah-Hartman	[PATCH 005/196] Chinese: add translation of SubmittingDrivers
Andrew Morton	2.6.23-rc6-mm1
Eric Paris	[RFC 0/5] [TALPA] Intro to a linux interface for on access scanning
linux-netdev:
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
David Miller	[GIT]: Networking
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Natalie Protasevich	[BUG] New Kernel Bugs
git:

openbsd-misc:

pf & outbound modulate state

Online users