|MiNi0n|
August 21st, 2003, 16:48
See this link for more info, seems pf is going to have the capability to fingerprint OS to allow you to block by OS type. I can only imagine there will be grey area here causing some hit and miss, but kewl all the same!

http://marc.theaimsgroup.com/?l=openbsd-pf&m=106149522527441&w=2

soup4you2
August 21st, 2003, 16:50
i just came here to post that... Thats badass!!

block proto tcp from any os Windows to any port any

bsdjunkie
August 21st, 2003, 21:09
sweet.!!

v902
August 21st, 2003, 21:18
Damn I was about to post the deadly (http://deadly.org/article.php3?sid=20030821153534) article... Hey! It looks like I did! :D[/url]

Strog
August 22nd, 2003, 14:02
This has all kinds of possibities. Very cool stuff there.


I just read the comments on deadly.org and noticed the troll that kept posting a link to "OpenCULT" http://phrack.efnet.ru/phrack/opencult/. It's stupid but mildly amusing

SolarfluX
August 23rd, 2003, 17:35
Just installed pf_freebsd 1.62 which has the -o option for pftcpdump, pretty nifty. It doesn't catch everything, however...

# pftcpdump -onettti pflog0

59. 807804 rule 2/0(match): block in on fxp1: 68.160.254.45.3131 > x.x.x.x.135: S (src OS: unknown) 1240664343:1240664343(0) win 65280 <mss 1360,nop,nop,sackOK> (DF)
543110 rule 2/0(match): block in on fxp1: 207.188.148.17.1350 > x.x.x.x.135: S (src OS: Windows 2000 SP3, Windows XP) 221665159:221665159(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
5. 999485 rule 2/0(match): block in on fxp1: 64.229.163.149.3123 > x.x.x.x.135: S (src OS: Windows 2000P, Windows XP) 2152195048:2152195048(0) win 16384 <mss 1440,nop,nop,sackOK> (DF)

elmore
August 23rd, 2003, 17:40
Just installed pf_freebsd 1.62 which has the -o option for pftcpdump, pretty nifty. It doesn't catch everything, however...


Give it some time and I'm sureDaniel and crew will have it tuned out and fully tweaked.