Ted Unangst wrote:

>> >It seems that my PF rule can't prevent fingerprint scan.
>>
>> >block drop in log quick on tun0 inet proto tcp all flags FPU/FPU
>>
>> >How to change my PF rules to prevent fingerprint scan on OpenBSD?
>>
>> Good query. I thought your rule (the one I left behind) should be
>> able to handle scans. Evidently it doesn't. I would really like to
>> know the answer. Anyone?
>
> sysctl -w net.inet.tcp.recvspace=65536
> sysctl -w net.inet.tcp.sendspace=65536
> sysctl -w net.inet.tcp.sack=0
>

Additionally obfuscate ttl:
sysctl -w net.inet.ip.ttl=71

EJ
--
Remove the obvious part (including the dot) for my email address