* Craig Skinner <[EMAIL PROTECTED]> [2007-09-15 16:21]: > Doing a pf.conf tidy up. From the pf.conf man page on 4.1: > > STATE MODULATION > > Much of the security derived from TCP is attributable to how well the > initial sequence numbers (ISNs) are chosen. Some popular stack implemen > tations choose very poor ISNs and thus are normally susceptible to ISN > prediction exploits. By applying a modulate state rule to a TCP connec- > tion, pf(4) will create a high quality random sequence number for each > connection endpoint. > > Therefore, because OBSD uses quality ISNs, there is no point in > modulating state on outbound packets that ORIGINATE (i.e. not passed > through) an OBSD host.
correct. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
