Doing a pf.conf tidy up. From the pf.conf man page on 4.1:

STATE MODULATION

Much of the security derived from TCP is attributable to how well the
initial sequence numbers (ISNs) are chosen.  Some popular stack implemen
tations choose very poor ISNs and thus are normally susceptible to ISN
prediction exploits.  By applying a modulate state rule to a TCP connec-
tion, pf(4) will create a high quality random sequence number for each
connection endpoint.

Therefore, because OBSD uses quality ISNs, there is no point in
modulating state on outbound packets that ORIGINATE (i.e. not passed
through) an OBSD host. No?
-- 
Craig Skinner | http://www.kepax.co.uk | [EMAIL PROTECTED]

Reply via email to