header pictures for dedicated hosting services header image of world
Guests Visit the FreeBSD Forums  •  Login to the FreeBSD Forums  •  Register for FREE

OS Fingerprinting in OpenBSD's PF Firewall

Author
       
admin
Administrator

Registered: Jan 2002
Location:
Posts: 2353

OS Fingerprinting in OpenBSD's PF Firewall

Mike Frantzen has committed "Passive operating system fingerprinting" to PF which exposes the source host's OS to the filter language. The goal of this work is to allow firewalling decisions to take place based not only on the source of a connection, but the operating system of that source. Powerful policy enforcement is now possible such as redirecting all older windows boxes to a web site telling them to upgrade. Or blocking all windows boxes from connecting to mail servers (damn worms). A writeup can be found here. Please help contribute to the OS fingerprint database by going to http://lcamtuf.coredump.cx/p0f-help/ and typing in your OS description if it does not recognize your OS. Thanks, blowfish, our community member, for the news story.

[Read email]
---------------------------------------------------
From: frantzen@w4g.org (Mike Frantzen)
Newsgroups: bit.listserv.openbsd-pf
Subject: PF filter decisions based on source OS type
Date: 21 Aug 2003 12:53:44 -0700

Just committed a diff to -current that lets adds Michal Zalewski's
p0f v2 style passive fingerprinting to PF. It allows PF to filter on
the operating system of the source host by passively fingerprinting
the SYN packets. Powerfuly policy enforcement is now possible:
block proto tcp from any os Windows to any port smtp
block proto tcp from any os SCO
pass proto tcp from any os $UNIXES keep state queue high-bandwidth

# Send older windows to a web page telling them to upgrade
rdr on le0 proto tcp from any os "Windows 98" to any port 80 \
-> 127.0.0.1 port 8001

Passive fingerprinting has also been added to tcpdump via the -o
parameter to print out the sender OS of TCP SYN packets.

There is a short writeup at http://www.w4g.org/fingerprinting.html

We need your help to populate the operating system database. Please
go to http://lcamtuf.coredump.cx/p0f-help with as many machines with
web browsers as possible and type in your OS name if it doesn't
recognize the machine.

.mike

Report this post to a moderator | IP: Logged

08-25-2003 07:43 AM
 
cv-soft
BSD n00b

Registered: Sep 2002
Location:
Posts: 28

If you connect via a proxy server, it tells you the uptime of it. How is that possible?

Report this post to a moderator | IP: Logged

08-25-2003 03:47 PM
 
blowfish
Mentor

Registered: Jun 2002
Location:
Posts: 1480

 

quote:
Originally posted by cv-soft
If you connect via a proxy server, it tells you the uptime of it. How is that possible?

i believe it uses the tcp timestamp option.

 

__________________
Go and tell the king that the sky is falling in when it's not (maybe not).

chat.taucher.net, #bsd

Report this post to a moderator | IP: Logged

08-25-2003 04:08 PM
 

 

 

 

Looking for our FreeBSD Forums? We have moved them off our main page,just follow the link to our FreeBSD Forums page.


Copyright © 2009, WEBSERVER CONSUMER GUIDE

Privacy Policy

Please note:
(1) FreeBSD is a registered trademark of The FreeBSD Foundation.
(2) WEBSERVER CONSUMER GUIDE is in no way affiliated with The FreeBSD Foundation