Daniel,
On Thu, Mar 12, 2009 at 04:01:38PM +0100, Daniel Hartmeier wrote:
The following scenario would produce what you observe:
1) nmap sends a first TCP SYN to AAA.BBB.CCC.DDD with a random
initial sequence number th_seq1
2) pf allows the packet out and creates a state entry
On 2009/03/13 10:25, Jeremie Le Hen wrote:
It doesn't seem to be possible to disable sequence number/window
tracking. Does it?
It's possible if you port the sloppy state handling code from OpenBSD..
On Fri, Mar 13, 2009 at 10:25:15AM +0100, Jeremie Le Hen wrote:
% Mar 13 08:18:52 yoda /netbsd: pf: BAD state: TCP 82.233.239.98:39225
82.233.239.98:39225 88.187.38.85:80 [lo=3443494040 high=3443494041 win=2048
modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 S seq=3041360721 ack=0 len=0
