Contributed by jose on from the veen-more-cool-things-with-PF dept.
Very cool, now PF can do even more work on securing boxes behind a PF device. Be sure to test this and make sure it doesn't break anything (I think Daniel read the RFCs for a long time before making this commit)."List: openbsd-cvs Subject: CVS: cvs.openbsd.org: src From: Daniel HartmeierLink: CVS commit
Date: 2003-02-08 20:13:20 CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2003/02/08 13:13:20 Modified files: share/man/man5 : pf.conf.5 sys/net : pfvar.h pf_norm.c sbin/pfctl : parse.y pfctl_parser.c Log message: Add scrub option 'random-id', which replaces IP IDs with random values for outgoing packets that are not fragmented (after reassembly), to compensate for predictable IDs generated by some hosts, and defeat fingerprinting and NAT detection as described in the Bellovin paper http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@
Paper on NAT detection by Steven Bellovin "
(Comments are closed)