Sorry, 'modulate tcp' was a thinko. I had been meaning to move 'modulate state' into the scrubber for a long time.
Reassemble TCP does aggressive TCP PAWs checks on the TCP timestamps. It does the usual PAWs check to make sure a timestamp is not older than the last echoed value - which is in theory a wrapped sequence number. It also does its aggressive check to make sure the timestamp did not increase faster than the fastest clock which the RFC allows - an attacker can kill a connection by spoofing a higher timestamp. In order to prevent blind TCP spoofing PF's scrub will require TCP timestamps on all data packets if the first data packet had a timestamp. There are some transparent web caches out there that will allow the 3whs to complete (exchanging timestamp information) and then they will will hijack the TCP connection. Of course the developers of the hijacking device took some liberal shortcuts that make them look just like a blind hijacker instead of a MITM hijacker. If they hijack in the middle of the data stream (like after they see the HTTP request) and stop sending TCP Timestamps then PF's reassemble TCP will block further packets. .mike > What is 'modulate tcp'? > modulate state works fine. > I get these errors only with scrub's reassemble tcp option > I originally assumed it was an Apple problem since I only had trouble > with the OS X "Software Update" feature. > Going back to the beginning of this thread - Walter Haidinger appears to > have a similar problem but not with Apple. > I was hoping he could try 'set debug loud' in his pf.conf and check his > /var/log/messages file after testing a problem site. > If he sees messages similar to the one's I've seen maybe we both know a > little more. > > -Dan
