Slashdot Mirror

← Back to Stories (view on slashdot.org)

OS Fingerprinting in OpenBSD's PF Firewall

Posted by Hemos on from the filtering-it-through dept.

Dan writes "Mike Frantzen has committed "Passive operating system fingerprinting" to PF which exposes the source host's OS to the filter language. The goal of this work is to allow firewalling decisions to take place based not only on the source of a connection, but the operating system of that source. Powerful policy enforcement is now possible such as redirecting all older windows boxes to a web site telling them to upgrade. Or blocking all windows boxes from connecting to mail servers (damn worms). A writeup can be found here. Please help contribute to the OS fingerprint database by going to http://lcamtuf.coredump.cx/p0f-help/ and typing in your OS description if it does not recognize your OS." Sorry - my fault. It is a dupe.

3 of 52 comments (clear)

  1. Proxies? by sporty · · Score: 4, Interesting

    What about proxies and socks servers? There's prolly more useful things to do w/ this than redirect for content reasons.

    --

    -
    ping -f 255.255.255.255 # if only

  2. Re:can't wait 4 this by thebigmacd · · Score: 2, Interesting

    The whole point of this is that it is OS fingerprinting...I'm sure the MacOS network stack is not the same as any MS OS. as a matter of fact I'm fairly sure the OSX network stack is quite identifiable as a non-MS product.

  3. Re:can't wait 4 this by innosent · · Score: 5, Interesting

    It is viable. After all, how many non-windows machines are infected with Blaster? If you use RPC for something (don't know why anyone would, but...), and don't want Blaster pounding away at your server, you could use the filter to drop all of the packets coming on that port from Windows.

    On a related note, lets say you do a lot of communicating between two servers, or between some remote workstations and a server, but don't allow public access. If there's no legitimate reason why a specific OS would connect to your server, why let it? Hell, just by dropping Windows, you get rid of most of the script kiddies. Maybe drop Linux, if you don't use it, to get rid of the rest of them. Probably very few script kiddies run *BSD. Sure, it's security through obscurity, but most kids will probably just overlook your server, which is a good thing. If they don't know it's there, they probably won't attack it.

    --
    --That's the point of being root, you can do anything you want, even if it's stupid.