Title: Filtering TCP connections by operating system on OpenBSD | |
Author: Solène | |
Date: 06 February 2021 | |
Tags: openbsd security | |
Description: | |
# Introduction | |
In this text I will explain how to filter TCP connections by operating | |
system using OpenBSD Packet filter. | |
OpenBSD pf.conf man page about OS Fingerprinting | |
# Explanations | |
Every operating system has its own way to construct some SYN packets, | |
this is called Fingerprinting because it permits to identify which OS | |
sent which packet. This must be clear it's not a perfect filter and | |
may be easily get bypassed if you want to. | |
Because if some packets required to identify the operating system, only | |
TCP connections can be filtered by OS. The OS list and SYN values can | |
be found in the file /etc/pf.os. | |
# How to setup | |
The keyword "os $value" must be used within the "from $address" | |
keyword. I use it to restrict the ssh connection to my server only to | |
OpenBSD systems (in addition to key authentication). | |
```OpenBSD packet filter configuration file including comments | |
# only allow OpenBSD hosts to connect | |
pass in on egress inet proto tcp from any os OpenBSD to (egress) port 22 | |
# allow connections from $home IP whatever the OS is | |
pass in on egress inet proto tcp from $home to (egress) port 22 | |
``` | |
This can be a very good way to stop unwanted traffic spamming logs but | |
should be used with cautiousness because you may incidentally block | |
legitimate traffic. |