OpenBSD Implementation PF Randomness Not everyone uses randomness the way they should... so we can put it in for them. Why in the firewall? We're already tracking connection state - so it's easy It's expected that a firewall can be agressive about packet modification Some of the randomness happens anyways, for functional reasons source port and ip for NAT The firewall code already makes packet modifications for other reasons The firewall provides fine-grained control of randomness injection