OpenBSD Implementation PF Randomness Not everyone uses randomness the way they should... so we can put it in for them. Why in the firewall? We're already tracking connection state - so it's easy It's expected that a firewall can be agressive about packet modification Some of the randomness happens anyways, for functional reasons source port and ip for NAT The firewall provides fine-grained control of randomness injection