From owner-freebsd-pf@FreeBSD.ORG Sat Dec 10 00:36:13 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 149F716A41F for ; Sat, 10 Dec 2005 00:36:13 +0000 (GMT) (envelope-from al@rechenknecht.net) Received: from zontec.de (n80-237-242-115.cnet.hosteurope.de [80.237.242.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA16E43D5C for ; Sat, 10 Dec 2005 00:36:12 +0000 (GMT) (envelope-from al@rechenknecht.net) Received: from [10.0.42.100] (85-124-9-107.dynamic.xdsl-line.inode.at [85.124.9.107]) by zontec.de (Postfix) with ESMTP id CF9265EA2 for ; Sat, 10 Dec 2005 00:36:03 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v746.2) X-Gpgmail-State: !signed Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <3F36E476-34E6-4FF8-95B5-638B94E6475D@rechenknecht.net> Content-Transfer-Encoding: 7bit From: Angelo Laub Date: Sat, 10 Dec 2005 01:36:11 +0100 To: freebsd-pf@freebsd.org X-Mailer: Apple Mail (2.746.2) Subject: Passive OS Fingerprinting broken? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Dec 2005 00:36:13 -0000 Hi, I can't get Passive OS Fingerprinting to work on FreeBSD 6.0. I've used PF's passive os fingerprinting under OpenBSD before without any problems, so I was wondering if there is something special to do on FreeBSD. I have inserted a line 'block in quick proto tcp from any os "Windows" to any port smtp' but it does not work. I can still connect from Windows hosts. I've tried the same with Linux, no help here. When I instead block specific IPs, it works as expected. This is my pf.conf: #### BEGIN PF.CONF #### # Macros: define common values, so they can be referenced and changed easily. ext_if="em0" # replace with actual external interface name i.e., dc0 ServicesTCP="{ssh, www, 443, domain, smtp, pop3, imap, 993, 995,5000,svn}" ServicesUDP="{domain, 1194, smtp}" internal_net="80.237.242.112/29" # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all no-df block in quick proto tcp from any os "Windows" to any port smtp block in log all pass quick on lo0 pass quick on tap0 pass out on $ext_if all keep state pass in on $ext_if from $internal_net to $ext_if keep state # make it harder for nmap to scan us block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP block in log quick on $ext_if inet proto tcp from any to any flags SF/ SFRA block in log quick on $ext_if inet proto tcp from any to any flags /SFRA # accept ping pass in quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state pass in on $ext_if proto tcp from any to $ext_if port 22 keep state pass in on $ext_if proto tcp from any to $ext_if port $ServicesTCP flags S/SA keep state pass in on $ext_if proto udp from any to $ext_if port $ServicesUDP keep state #### END PF.CONF #### Am I doing something wrong? Thanks, Angelo