From owner-freebsd-stable@FreeBSD.ORG  Tue Apr 19 11:48:01 2005
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2209616A4CE
	for <freebsd-stable@freebsd.org>;
	Tue, 19 Apr 2005 11:48:01 +0000 (GMT)
Received: from felix.fizyka.amu.edu.pl (felix.fizyka.amu.edu.pl
	[150.254.109.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 97D9343D1D
	for <freebsd-stable@freebsd.org>;
	Tue, 19 Apr 2005 11:48:00 +0000 (GMT)
	(envelope-from max@felix.fizyka.amu.edu.pl)
Received: from max (helo=localhost)
	by felix.fizyka.amu.edu.pl with local-esmtp (Exim 4.44)
	id 1DNrCv-0004Tx-Ma
	for freebsd-stable@freebsd.org; Tue, 19 Apr 2005 13:47:57 +0200
Date: Tue, 19 Apr 2005 13:47:57 +0200 (CEST)
From: Michal 'max' Marciniak <max@felix.fizyka.amu.edu.pl>
To: freebsd-stable@freebsd.org
In-Reply-To: <f0f70e5e050419043335bb87ba@mail.gmail.com>
Message-ID: <Pine.NEB.4.62.0504191340230.16565@felix.fizyka.amu.edu.pl>
References: <f0f70e5e0504190411241c2433@mail.gmail.com> 
	<f0f70e5e050419043335bb87ba@mail.gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=iso-8859-2
Content-Transfer-Encoding: QUOTED-PRINTABLE
Subject: Re: FreeBSD and NMAP
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Apr 2005 11:48:01 -0000

On Tue, 19 Apr 2005, peceka wrote:

>> > How can i hide from nmap that my OS is FreeBSD? Is this possible?
>>
>> # sysctl -ad | grep random_id
>> net.inet.ip.random_id: Assign random ip_id values
>> # echo 'net.inet.ip.random_id=3D1' >> /etc/sysctl.conf
>
>After that:
>Interesting ports on 192.168.1.248:
>(The 1643 ports scanned but not shown below are in state: closed)
>Port       State       Service
>22/tcp     open        ssh
>Device type: general purpose
>Running (JUST GUESSING) : FreeBSD 5.X|4.X (95%), Apple Mac OS X 10.1.X
>(88%), OpenBSD 3.X|2.X (88%), Apple Mac OS 8.X (85%)
>Aggressive OS guesses: FreeBSD 5.0-RELEASE (95%), Apple Mac OS X
>10.1.5 (88%), FreeBSD 4.3 - 4.4PRERELEASE (88%), FreeBSD 5.0-RELEASE
>(x86) (88%), FreeBSD 5.1-CURRENT (June 2003) on Sparc64 (88%), OpenBSD
>3.0 or 3.3 (88%), Apple Mac OS X 10.1.4 (Darwin Kernel 5.4) on iMac
>(86%), FreeBSD 4.5-RELEASE (or -STABLE) through 4.6-RC (X86) (86%),
>FreeBSD 4.7-RELEASE (86%), FreeBSD 5.0-RELEASE or -CURRENT (Jan 2003)
>(86%)
>No exact OS matches for host (test conditions non-ideal).
>Uptime 0.003 days (since Tue Apr 19 13:22:41 2005)
>
>So it didn't help much...
>

So, try this:

block in log quick proto tcp flags FUP/WEUAPRSF
block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick proto tcp flags SRAFU/WEUAPRSF
block in log quick proto tcp flags /WEUAPRSF
block in log quick proto tcp flags SR/SR
block in log quick proto tcp flags SF/SF

(in pf.conf)


--
Micha=B3 'max' Marciniak
felix.fizyka.amu.edu.pl