To increase the security of the host(s) it is supposed to protect, OpenBSD PF has a number of unique features to correct mistakes in TCP/IP stack implementations, which are described in this section.
To ensure proper delivery of TCP packets and to prevent connection hijacking, the TCP protocol utilizes a sequence numer scheme in which a random initial sequence number (ISN) is chosen at the start of a connection, which is incremented for each byte transmitted. However, many popular TCP implementations use a very poor random number generator for generating these ISNs3, thus making it more likely TCP connections originating from such systems could be taken over by malicious people.
That is why the OpenBSD PF developers chose to add state modulation. This involves generating a more random initial sequence number for connections matching a PF rule, and translating the sequence numbers of packets passing the firewall from the ISN generated by the host to the ISN generated by the firewall and vice-versa.
This can be done by adding the modulate state keyword to PF rules, such as this one, protecting the corporate network defined in the previous chapter:
pass in quick on xl1 proto tcp from 260.250.1.0/24 to any \
flags S/SA modulate state
The modulate state option implies keep state, described in section 2.3.
Since some IP stacks don't correctly implement IP packet defragmentation, OpenBSD PF provides the scrub directive. If a scrub rule matches a packet, the PF normalization component makes sure the packet is defragmented and completely stripped of all abnormalities before it is sent along to its final destination4.
Normalizing all incoming network traffic would require a rule such as this:
scrub in all
Using the scrub directive uses quite an amount of server resources, so its use should be limited to protecting only the weak TCP/IP stack implementations.
Additional options that apply to the scrub directive are: