Just committed a diff to -current that lets adds Michal Zalewski's
p0f v2 style passive fingerprinting to PF. It allows PF to filter on
the operating system of the source host by passively fingerprinting
the SYN packets. Powerfuly policy enforcement is now possible:
block proto tcp from any os Windows to any port smtp
block proto tcp from any os SCO
pass proto tcp from any os $UNIXES keep state queue high-bandwidth
# Send older windows to a web page telling them to upgrade
rdr on le0 proto tcp from any os "Windows 98" to any port 80 \
-> 127.0.0.1 port 8001
Passive fingerprinting has also been added to tcpdump via the -o
parameter to print out the sender OS of TCP SYN packets.
There is a short writeup at http://www.w4g.org/fingerprinting.html
We need your help to populate the operating system database. Please
go to http://lcamtuf.coredump.cx/p0f-help with as many machines with
web browsers as possible and type in your OS name if it doesn't
recognize the machine.
.mike
