Doing a pf.conf tidy up. From the pf.conf man page on 4.1: STATE MODULATION
Much of the security derived from TCP is attributable to how well the initial sequence numbers (ISNs) are chosen. Some popular stack implemen tations choose very poor ISNs and thus are normally susceptible to ISN prediction exploits. By applying a modulate state rule to a TCP connec- tion, pf(4) will create a high quality random sequence number for each connection endpoint. Therefore, because OBSD uses quality ISNs, there is no point in modulating state on outbound packets that ORIGINATE (i.e. not passed through) an OBSD host. No? -- Craig Skinner | http://www.kepax.co.uk | [EMAIL PROTECTED]