 |
Title: Filtering TCP connections by operating system on OpenBSD |
|
Author: Solène |
|
Date: 06 February 2021 |
|
Tags: openbsd security |
|
Description: |
|
|
|
# Introduction |
|
|
|
In this text I will explain how to filter TCP connections by operating |
|
system using OpenBSD Packet filter. |
|
|
 |
OpenBSD pf.conf man page about OS Fingerprinting |
|
|
|
# Explanations |
|
|
|
Every operating system has its own way to construct some SYN packets, |
|
this is called Fingerprinting because it permits to identify which OS |
|
sent which packet. This must be clear it's not a perfect filter and |
|
may be easily get bypassed if you want to. |
|
Because if some packets required to identify the operating system, only |
|
TCP connections can be filtered by OS. The OS list and SYN values can |
|
be found in the file /etc/pf.os. |
|
|
|
# How to setup |
|
|
|
The keyword "os $value" must be used within the "from $address" |
|
keyword. I use it to restrict the ssh connection to my server only to |
|
OpenBSD systems (in addition to key authentication). |
|
|
|
```OpenBSD packet filter configuration file including comments |
|
# only allow OpenBSD hosts to connect |
|
pass in on egress inet proto tcp from any os OpenBSD to (egress) port 22 |
|
|
|
# allow connections from $home IP whatever the OS is |
|
pass in on egress inet proto tcp from $home to (egress) port 22 |
|
``` |
|
|
|
This can be a very good way to stop unwanted traffic spamming logs but |
|
should be used with cautiousness because you may incidentally block |
|
legitimate traffic. |
