[pf4freebsd] Doubt about modulate state

[Mario Doria]

Hi all,

I was reading a pf ruleset example at
http://www.openbsd.org/faq/pf/example1.html when I noticed this:

(1) pass in =A0on $int_if from $int_if:network to any keep state
(2) pass out on $int_if from any to $int_if:network keep state

(3) pass out on $ext_if proto tcp all modulate state flags S/SA
(4) pass out on $ext_if proto { udp, icmp } all keep state

$int_if is the internal interface.
$ext_if is the external interface.

As I understand it, the rule (1) allows the internal network to communicate=
 to=20
the firewall and to the outside world.
Rule (2) lets the firewall talk to the internal network.
Rule (3) lets traffic going out (tcp), but pf is first going to use
a high quality random sequence number for each connection.=20
Rule (4) lets protocols udp and icmp go out on the external
interface.

Now the problem I see is:
from the pf.conf(5) man page:

"There are two caveats associated with state modulation: A modulate state r=
ule=20
can not be applied to a pre-existing but unmodulated connection.
=A0 =A0 =A0Such an application would desynchronize TCP's strict sequencing =
between=20
the two endpoints. =A0Instead, pf(4) will treat the modulate state modifier=
 as=20
a keep state modifier and the pre-existing connection will be inferred=20
without the protection conferred by modulation."

So, here rule (1) is the first rule that sees the connections coming from t=
he=20
internal interface, and if you're doing NAT on the firewall, when your=20
packets go out to the world using rule (3), they would not benefit from the=
=20
modulate keyword. pf would treat the connection as a previously existing=20
connection and then it wouldn't be able to apply the modulate keyword.

I don't know if this is correct, I'm having doubts because I found
thisexample on the "official" FAQ for PF. Can anyone help me please?


Mario