OpenBSD Journal

PF fingerprinting capabilities

Contributed by jose on from the ink-on-your-hands dept.

Mike Frantzen write: "Passive operating system fingerprinting was just committed to PF which exposes the source host's OS to the filter language. Powerful policy enforcement is now possible such as redirecting all older windows boxes to a web site telling them to upgrade. Or blocking all windows boxes from connecting to mail servers (damn worms). A writeup can be found at http://www.w4g.org/fingerprinting.html . Please help contribute to the OS fingerprint database by going to http://lcamtuf.coredump.cx/p0f-help/ and typing in your OS description if it does not recognize your OS."

Part of the commit messages reads: 


Date: Thu, 21 Aug 2003 13:12:09 -0600 (MDT)
From: Mike Frantzen

Subject: CVS: cvs.openbsd.org: src

CVSROOT:        /cvs
Module name:    src
Changes by:     frantzen@cvs.openbsd.org        2003/08/21 13:12:09

Modified files:
        sys/conf       : files 
        sys/net        : pf.c pf_ioctl.c pf_norm.c pfvar.h 
        sbin/pfctl     : Makefile parse.y pfctl.8 pfctl.c pfctl_parser.c 
                         pfctl_parser.h 
Added files:
        sys/net        : pf_osfp.c 
        sbin/pfctl     : pfctl_osfp.c 

Log message:
Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF.
Exposes the source IP's operating system to the filter language.
Interesting policy decisions are now enforceable:
.       block proto tcp from any os SCO
.       block proto tcp from any os Windows to any port smtp
.       rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
This also adds a -o option to tcpdump(8) which lets you view the OS based on SYN fingerprinting. Thanks guys, this is pretty insane stuff now.

(Comments are closed)

Comments

  1. By Daniel Hartmeier () daniel@benzedrine.cx on http://www.benzedrine.cx/pf.html

    I'm running the code since two days now, it works very well.

    Blocking (or redirecting to spamd) incoming SMTP connections from Windows hosts very effectively blocks the currently spreading sobig.f virus. I wasn't sure how many legitimate peers use Windows relays, but the test shows that even peers using Windows clients relay throgh (their ISPs) Unix. YMMV.

    Please visit

    http://lcamtuf.coredump.cx/p0f-help
    and help build an accurate fingerprint database.

  2. By Anonymous Coward () on

    Wow I thought pf could not get any better and now I can route certain OSes. What is next in the OpenBSD and pf world?

    Thank you OpenBSD and pf gods

    Comments
    1. Comments

      1. By Anonymous Coward () on

        Your comment has been rated 10 of 10 on the Spamming your damn website scale

      2. By krh () on

        Well, while I think your web site is somewhat amusing, I also think you're making unsupported generalizations about OpenBSD users. I, for one, use OpenBSD because I like it, not because I like Theo. I disagree with some of his stated opinions, and I think that some of his social skills are distinctly suboptimal. If I were choosing operating systems on the basis of personality, OpenBSD would lose. Instead I choose based on quality, and there OpenBSD wins.

        Comments

        1. By Anonymous Coward () on

          Theo just speaks the truth.

          Comments

          1. By Anonymous Coward () on

            Actually, he often speaks the idiocy.

            For example, when he helped scare away DARPA funding for the Hackathon, someone told him that he can make an independant deal with the hotel despite DARPA's refusal to allow their deposit to be used. He called the guy a moron instead of doing 15 seconds of googling to find out that hotel rates are just about INFINITELY variable. Anyone who has more brain cells than George W Bush knows that. But, surprise surprise, Theo didn't.

            I agree with the grandparent 100%.

  3. By Anonymous Coward () on

    Wow!

    Is there anything left that pf can't do?

    Comments

    1. By Angel Todorov () atodorov@acm.org on mailto:atodorov@acm.org

      filtering based on MAC addresses -:)?

      Comments

      1. By jose () on http://monkey.org/~jose/

        no. pf sits after ip_input(), which is after eth_input(). this means that the ethernet header is already long gone.

        man brconfig for layer 2 filtering. very easy to do, but its not pf's domain.

        Comments

        1. By Jason Dixon () jason@dixongroup.net on mailto:jason@dixongroup.net

          *Bzzz!* Wrong. :)



          Brconfig and PF in -current support tagging at layer 2 and filtering at layer 3, based on those tags. In brconfig(8) , check out the "tag" example towards the bottom. In pf.conf(5) , look for the "tagged" filtering parameter.



          -J.

        2. By Anonymous Coward () on

          While I understand why pf cannot filter on mac address at this time, its name 'packet filter' implies that it should be able to do much more than just IP.

          Comments

          1. By Brad () on

            You're reading way too much into the name and making wild assumptions.

      2. By Jason Dixon () jason@dixongroup.net on mailto:jason@dixongroup.net

        Brconfig and PF in -current support tagging at layer 2 and filtering at layer 3, based on those tags. In brconfig(8) , check out the "tag" example towards the bottom. In pf.conf(5) , look for the "tagged" filtering parameter.
        -J.

      3. By Anonymous Coward () on

        Read the archives. This has already been discussed many times.

        pf just doesn't filter at that layer, so this will never happen.

      4. By henning () henning@openbsd.org on mailto:henning@openbsd.org

        actually, it can ;-)
        some months back I added code do that you can tag packets in the bridge filter, and filter based on those tags in pf.

        Comments

        1. By Anonymous Coward () on

          Really
          Is it documented somewhere or can you tell us how?


          Thanks for your work in the OpenBSD project

    2. By Anonymous Coward () on

      Pay the rent... But who needs shelter? ;P

    3. By Anonymous Coward () on

      layer-7 filtering would be cool... but my coding skills are subpar right now so i'm not even going to ask for it. =)

      Comments

      1. By djm () on

        L7 filtering doesn't belong in there kernel, but it would be nice if there were some way that pf could pass packets to a user-space process for inspection *before* they were forwarded.

        Actually, such an ability exists now - but one has to use application level proxies which must persist for the lifetime of the session (see how ftp-proxy works).

    4. By Anonymous Coward () on

      Get me a date on Friday night?

      Comments

      1. By Anonymous Coward () on

        actually pf can do that. it's just undocumented.

        Comments

        1. By Eduardo Alvarenga () on

          Don't you mind showing us the secret?

      2. By Anonymous Coward () on

        pass in
        pass out
        pass in
        pass out

        with those kinds of skills, who wouldn't want you?

        Comments

        1. By krh () on

          block all?

    5. Comments

      1. By Anonymous Coward () on

        This is being worked on. pfsync(4) is likely to be part of it.

        Comments

        1. By Pete () pete@pimp.as on mailto:pete@pimp.as

          I'm wondering if there's a way to do virtual ethernet trunking (200Mb/s combined) across two openbsd boxen to bypass the VRRP patent and make the firewalls redundant. Of course you're going to have issues with the way a switch actually trunks the ports, but there may be a few that could work like this. The only problem I can see with this is that you will need a switch that supports trunking and one would have to figure out how to make it so that you could have two or more switches in a fully mesh setup for zero downtime. I haven't had time to test this out, but it'd be interesting to see the results.

          Comments

          1. By Anonymous Coward () on

            Why not just make the OpenBSD interfaces part of the STP topology?

            You'd place the secondary firewall in blocking mode initially. When the primary goes down, the secondary unblocks...

            You can also do some fancy tricks with OSPF and loopback interfaces to acheive similar results.

            Comments

            1. By Anonymous Coward () on

              What about for aggregation or balancing load across multiple firewalls?

              Comments

              1. By earx () on

                already done in pf

              2. By Anonymous Coward () on

                YOu could do some fun stuff with ECMP and OSPF to load-share across a pair of firewalls.

            2. By grey () on

              Would using spanning tree would really help you with keeping state on existing connections at the time of failure? Ideally you want stateful failover between the two machines, not just failover (already there are simple methodologies for things like that).

              There have even been a couple of (ok, well I can think of one) firewall failover implementations (iirc some firewall+IPSec product on Vax clusters) which could even keep state for IPSec sessions without needing to reauthenticate.

              I really don't know how deep attempts at stateful failover are going for pf. I imagine that they want to do it well - and given the hurdles of doing so without encroaching on patents, I guess it's understandable that this feature is taking a lot of time to work on.

              Comments

              1. By Anonymous Coward () on

                You have pfsync for state sharing, and Spanning Tree for failover.
                2 totally seperate things.

                BTW- Checkpoint can even do IPSEC Clusters (ala, gateway clusters)

          2. By m0nknutz () on

            I'm still curious about VRRP and the patent issues, everything I've seen has been individuals gathering petitions and such to let the free source community use VRRP. Then I've read articles with people from Cisco saying that there isn't a patent problem and that anyone can use it, since their flagship is HSRP. How is Nokia using it on their IPSO (BSD-based) products? It's not a purchased license when you use it. I think that load-balancing and fail-over are the only two huge factors that make corporations even think about changing to some free source packet filter. Cheers to the os fingerprints, I submitted some Cacheflow fingerprints. =)

            Comments

            1. By Brad () on

              Buying a product such as a Nokia firewall does essentially license you to use VRRP via some sort of arrangement Nokia has made with Cisco. Unless Cisco allows the use of their patent without ANY restrictions which they are not willing to (so far) then it's not good enough.

    6. By Anonymous Coward () ben@zouh.org on mailto:ben@zouh.org

      I was wondering how we could achieve, with pf, that pretty netfilter feature that allows to apply limits per host (per same host, unlike altq QoS).

      For instance: to be able to limit syn paquets for ip xx port yy at a maxi of zz per seconds per client (meaning: zz/second for each client, not for all clients).

      Of course the altq code allows us to rate limit traffic. But restrictions stands for a whole class unless we know the flooder ip or network when we write the ruleset.
      Same effect when tuning the internal limits of pf (like tcp.established) for a given service: a flooder won't overload the server, but can disallow acess to this service by consuming all "limit-defined" ressources .


      Something very usefull would allow us to limit, for each rule, the number of matches (ie: syn connexions) for the same client per second, rather than limiting it globaly, for all hosts or a part of all hosts.

      This would protect us in several case:
      - protect slow or ressource consuming network applications and services (heavy cgis, slow servers ...) to accept too much connexion for the same host.
      - disallow all unexpected clients behaviors (how could someone request more than 2 pop3 cnx/sec ?)
      - limit syn|icmp|... floods more accurately (by limiting only the attacker) and without side-effects.


      Maybe this could be acheived with some existing pf feature: in this case, please, teach me the trick !

      (and in all cases: apologize for my english ...).

      Comments

      1. By Anonymous Coward () ben@zouh.org on mailto:ben@zouh.org



        This could be done by replacing inetd by xinetd.
        Only for inetd -- not standalone -- services.


        ps: why OpenBSD-inetd don't do that ?

      2. By Anonymous Coward () on

        synproxy in pf accomplishes some of what you are asking.

        StatiK76

      3. By Anonymous Coward () on

        You can use the per-rule state limit option to cap the total number of active connections. Not quite the same as a rate limit, but still useful.

        pass ... keep state(limit NNN)

    7. By Anonymous Coward () on


      recursive macros (and allowing (if) syntax in tables) would be very usefull.

      Comments

      1. By djm () on

        Are anchors not enough?

    8. By Anonymous Coward () on

      Although pf is now known to be able to cure baldness, it is still unreliable (at least in 3.3 release) at bringing world peace. 3.5 might have it, though.

      Comments

      1. By Anonymous Coward () on

        Please elaborate on this. I think everyone would be interested to know your findings with PF's reliability.

        Comments

        1. By Anonymous Coward () on

          with bringing world peace? Well, it doesn't do that at all times.

          There are even a few posts on this page that are of the divisive nature. We fall short of the goal of world peace brokerage on a grand scale.

  4. By Anonymous Coward () on

    someone explain to me why this is a good thing. what's next, app layer filtering?
    atlest with netfilter this kind of crap is modular and you can keep it out of your kernel. looks like we'll be needing "option WITHOUT_PF_BLOAT" in 3.4..

    Comments

    1. By Anonymous Coward () on

      It may add an OPTIONAL COMPLEXITY to CONFIGURATION, but this won't impact performance unless you use it.

      It may not be incredible practical for most real-world apps, but someone will use it. Besides, its damned cool. The fact that I can have my firewall automatically block Windows 95/98 (NON 2K/XP) users, thats damned cool.

    2. By djm () on

      Have you looked at the code, troll? Next time, try reading the code before making a fool of yourself.

      It is simple, tiny and only invoked once per TCP SYN packet and then only if you explicitly turn it on in pf.conf (via a "os XXX" directive).

      Don't like it? Don't use it.

    3. By Anonymous Coward () on

      I totally agree. I don't think such a feature should be in a firewall and in a kernel. If you want to have it in a module, why not ? But never in the kernel. That's not its place !
      What was a good point for pf (not to be overbloated like netfilter) is sadly becoming false.

      Comments

      1. By Anonymous Coward () on

        What was a good point for pf (not to be overbloated like netfilter) is sadly becoming false.

        Because of this very 1 feature? hahaha! I agree! lol.

        I'm wondering if you have seen too many black/white movies.

        Comments

        1. By Anonymous Coward () on

          Yes, today only 1 feature, but tomorrow ?

          Netfilter just started like that ...

          What I meant was not to forbid new features but to have MODULES for stuff like that.

          Comments

          1. By vincent () on

            stop thinking about tomorrow.

            if you find it is too bloated in 2 days, THEN whine, if it's not this particular change that bothers you (especially since, as others have said, it has no impact unless you activate it)

            -Vincent

            Comments

            1. By Anonymous Coward () on

              so the next thing is nmap in the kernel ? :)

              be serious ! such a thing has nothing to do in a kernel ! even netfilter people understand that !

              Comments

              1. By zelda () on

                Sigh, then go use Netfilter! They are obviously much smarter then the PF folks! They are Codemonkey Supremacy!

                Oh, wait a sec... you got me there :-)

                Like Vincent said: it doesn't matter when you don't activate it. You can always make your own custom kernel.

              2. By Anonymous Coward () on

                art@ would kill the commiter if he would think that this doesn't belong in the kernel. See mailing lists.

                This is a good feature to have. The calculation of the OS fingerprint is done only once per connection, and if you want to remove that aswell, you are welcome to write a proper event mechanism and respective userland daemon. :)

              3. By Anonymous Coward () on

                art@ would kill the commiter if he would think that this doesn't belong in the kernel. See mailing lists.

                This is a good feature to have. The calculation of the OS fingerprint is done only once per connection, and if you want to remove that aswell, you are welcome to write a proper event mechanism and respective userland daemon. :)

          2. By henning () heninng@openbsd.org on mailto:heninng@openbsd.org

            > What I meant was not to forbid new features but
            > to have MODULES for stuff like that.

            you obviously have no idea what a security disaster that would be.
            the idea alone of loading code into kernel space at runtime is pretty sick...

        2. By Anonymous Coward () on

          I'm wondering if you have seen too many black/white movies. He's a borderliner, that's all ;-)

    4. By Anonymous Coward () on

      I have to agree, but not because it is bloat, because it's just a bad idea. Implementation details aside, filtering by protocol is a good idea, by operating system is not. The only legitimate reason to filter by OS is if you know that OS should not exist on that network segment. If you're worried about bugs/malware, filter the bugs, not the carrier.

      Comments

      1. By Anonymous Coward () on

        Some big corporations don't use firewalls for security so much as for implementing policy. PF now has the capability for enforcing more of that policy.

        For example your corporate policy is that all laptops must be running Windows 2000. Now PF can redirect non-conforming desktops to a web page telling them to upgrade "or else".

        Keep audit statistics on how many connections were from Windows, MacOS, Linux, other (by putting them in different rules).

        Maybe I'm a unix friendly ISP that redirects all Windows SMTP to the ISP mx host and lets non-Windows route their own mail. Policy...

        Think beyond the firewall on your DSL or cablemodem line and it'll start making sense.

        Comments

        1. By Anonymous Coward () on

          your corporate policy is that all laptops must be running Windows 2000. Now PF can redirect non-conforming desktops to a web page telling them to upgrade "or else".

          Make sure you also accomodate vendors/tech support ppl/etc who come onsite with their on equipment and need to connect offsite.

          Keep audit statistics on how many connections were from Windows, MacOS, Linux, other (by putting them in different rules).

          Why not do this on a per-service basis? I care that win/IE6 hit my website, not just win vs. openbsd, etc.

          Maybe I'm a unix friendly ISP that redirects all Windows SMTP to the ISP mx host and lets non-Windows route their own mail.

          I suppose...

          Think beyond the firewall on your DSL or cablemodem line and it'll start making sense.

          I have been. I guess this could be useful for honeypots, you might want to rdr nix attackers to one honeypot and win attackers to another. Or for services that don't otherwise keep OS but you want to do something by OS, like rdr dhcp requests from macs to one if and one range, another for win, etc.

          It just really seems to me that most uses for this should be done in userland by the service. I understand that it will be faster and more efficient in kernel, but the same is true of services - a webserver in kernel will be faster than in userland. How many uses are there for this tech that could not be done in userland?

          Comments

          1. By tedu () on

            explain how you would restrict windows hosts from making outbound connections to port 25 while permitting unix hosts using a userland tool.

            Comments

            1. By Anonymous Coward () on

              I'd rather restrict all ip addresses except my mail relays from making outbound port 25 connections. Everyone else, independant of OS, should be using the main relays. pf already allowed this.

              Comments

              1. By frantzen () on

                then my laptop won't be able to send mail in your environment if you paid me to come in and debug your firewall.

                btw, you're still confusing security with policy. they're whole different beasts

        2. By Anonymous Coward () on

          Some big corporations don't use firewalls for security so much as for implementing policy. PF now has the capability for enforcing more of that policy.

          That is interesting. It seems like a really weird place to enforce an OS policy though...

          Maybe I'm a unix friendly ISP that redirects all Windows SMTP to the ISP mx host and lets non-Windows route their own mail. Policy...

          Policy attempting to be security? Why else would you do that? It's not Unix friendly, it's Windows hostile.

          Think beyond the firewall on your DSL or cablemodem line and it'll start making sense.

          I'm afraid it won't, we can't all be as gifted as you are.

          Besides which, the first thought on everyone's mind is "ooh, we can block out all those Windows worms!" You can, but this is the wrong solution. If Windows machines have no business connecting on port 447, no one does. Same goes for viruses going out on SMTP.

  5. By Anonymous Coward () on

    where can we send the beer?

    Comments

  6. By Wijnand () on http://NedBSD.nl

    One Packet Filter to rule them all!

    Comments
    1. Comments

  7. By map-ip-to-name () nobody@localhost on http://phrack.efnet.ru/phrack/opencult/

    "Thanks guys, this is pretty insane stuff now."
    indeed!

    http://phrack.efnet.ru/phrack/opencult/

    Comments

    1. By Anonymous Coward () on

      > http://phrack.efnet.ru/phrack/opencult/

      *lol* Looks like Theo has a new admirer!

    2. By Anonymous Coward () on

      yeah, Russians lived in the Era of Absurdity and Cults for the Ignorant for so long that they can tell one when they see

      Comments

      1. By Anonymous Coward () on

        So have the Americans.

    3. Comments

      1. By Anonymous Coward () on

        Get a hobby loser.

        Yes, you have no life.

    4. By Anonymous Coward () on

      you keep trying to make openbsd look insecure but host your site on redhat, oh the irony.

  8. By Anonymous Coward () Coward@deadly.org on mailto:Coward@deadly.org

    Too bad you can't disguise your OS type with PF like you can with NETFILTER.

    Comments

    1. By Anonymous Coward () on

      modulate state

  9. By Anonymous Coward () on

    Cool! I just found out, while trying the sumbit-your-fingerprint page, that my ISP's proxy servers are running OpenBSD :)
    Now I like my ISP even more *g* :)

    Comments
    1. Comments

      1. By Brad () on

        You have been rated 10 out of 10 on the asshat scale. Get a life reject.

  10. By Anonymous Coward () on

    can we get rid of the opencult troll?

    Comments

    1. By Anonymous Coward () on

      No doubt!

    2. By Anonymous Coward () on

      pf.conf his ass!

  11. By Ed () on http://www.stearns.org/p0f/README

    ------ http://www.stearns.org/p0f/README ------
    The p0f utility and related utilities are free software; you can
    redistribute it and/or modify it under the terms of the GNU Library
    General Public License as published by the Free Software Foundation;
    either version 2 of the License, or (at your option) any later
    version.
    ----------------------------------------------

    p0f is GPLed.

    How much is "derived work" your code ?

    Comments

    1. By Ulysses () on

      oh please........

      Comments

      1. By djm () on

        Yeah, as if the same team who have just audited their tree for license violations and are actually rewriting GPL tools will screw up like that...

    2. By jose () on http://monkey.org/~jose/

      i asked, the parts imported were relicensed for openbsd under a bsd license. that's the author's choice to do so, and he chose to do so.

    3. By frantzen () on

      i wrote all of the code in pf's fingerprinting. Michal Zalewski the primary author of the fingerprint database let me re-release a derivation under a BSD style license.

      actually I did p0f v1 first which Zalewski and Stearns both had a copyright on. Stearns never responded to my request to relicense a derivitive of the database. then Zalewski had some ideas for p0f v2, he started on it, it required a whole new database from scratch with nothing from Stearns, I rewrote PF's fingerprinting to use the v2 algorithm and database, and the sole copyright owner Zalewski allowed me to release a deriviation of the database under a BSD style license.

      we're VERY paranoid about licensing in the OpenBSD camp; even before the whole SCO bullshit

      Comments

      1. By Anonymous Coward () on

        I'm all for the BSD license and please don't take the following questions as some form of flame. I'm just trying to understand licensing issues.

        I thought that once code is GPL'ed, it remains forever GPL'ed. I read sometime ago about some software that was GPL'ed and it was "too late" to change it to a less-restrictive license. Is it actually possible to "re-license" GPL'ed code? What happens when there are two duplicate copies of the same code in circulation - one GPL'ed, and one BSD-licensed?

        If you can answer these questions, and if someone can point me to any site that accurately summarizes all these opensource license issues, I'll be really thankful.

        Comments

        1. By Sam () on

          Of course it can be done.

          The earlier version will always be under the GPL and that can not be revoked for that version. But later versions can be under any license you like if the copyright owners of the code all agree.

          Comments

          1. By Anonymous Coward () on

            But the later versions of the code would always have some portion of code from the earlier version. What license are the similar portions under?

        2. By Anil () avsm@ on mailto:avsm@

          Authors can relicense their own code any way they please; that's what happened here.

  12. By Anonymous Coward () on

    Would this OS fingerprinting work on a transparent bridge (ipless bridge).

    The README said something to the effect that the fingerprinting device has to receive a SYN packet (but also says it doesn't have to do anything to it - I'm assuming they're meaning that it doesn't have to do a SYN+ACK or anything such as that) which leads me to my question... Could this work transparently and passively on a transparent bridge, using OpenBSD?

    Might be a dumb question to some, but I'm curious.

    TIA!

    Comments

    1. By Anonymous Coward () on

      Yes. This addition is a filter option, which means it applies to any SYN packet pf sees. Since it is passive (no modification or reaction required), it doesn't matter how pf gets it -- from kernel routing, bridge forwarding, whatever.

    2. By Anonymous Coward () on

      yes, this works without any catches on a transparent bridge. transparent bridges can have issues when they try to generate/send traffic, but this is a completely passive feature.

  13. By Z-Blocker () on

    I would like to see "set timeout tcp.xxx" on a port basis.
    Something like "set timeout tcp.finwait port 80"
    This is possible in CheckPoint but not (yet) with pf.

    Comments

    1. By Anonymous Coward () on

      eh?

      pass proto tcp to any port 80 keep state (tcp.closing 10)

    2. By Philipp () pb@ on mailto:pb@

      you *can* do that already :-)

      see, pf.conf(5) 'STATEFUL TRACKING OPTIONS':

      pass in proto tcp from any to any
      port www flags S/SA keep state
      (max 100, tcp.established 60, tcp.closing 5)

      Case closed. ;)

      //pb@

      Comments

      1. By Z-Blocker () on

        Hey thank you, did not know about that.
        I like pf more and more :)

        Comments

        1. By Sam () on

          If you think something useful isn't in PF; look again.
          Because it probably is.

          Comments

          1. By Z-Blocker () on

            I think you are right.
            Failover and clustering is on the way I guess.

            Comments

            1. By Anonymous Coward () on

              Is it expected to fail on regular basis like major product does ???

              Comments

              1. By Z-Blocker () on

                Well that depends.
                In some situations people want 0 downtime.
                Everything is then failover: 2 leased lines, 2 routers, 2 firewalls and 2 routers again.
                Most people want failover because they don't want to rely for 100% on 1 box.
                If pf could provide that, then it is less far away from an enterprise firewall.

                Z

    3. By Anonymous Coward () on

      Yes it is.

  14. By Anonymous Coward () on

    Speaking of fingerprints, it would be awesome if OpenBSD had a system like ip-personality. ip-personality allows a Linux box to "pass" as many other kinds of boxes, such as Windows boxes. That would be a great feature for OpenBSD. Make it "pass" as the latest Windows 2002 Server box and all the attacks you will get... will be for the wrong target.

    Comments

    1. By Anonymous Coward () on

      That's just obscurity though.

      Comments

      1. By Anonymous Coward () on

        That's just obscurity though.

        Um... that's precisely the point...?

  15. By PeO () on

    I have trouble enabling pf using cvs updated kernel since 22 Aug:

    # pfctl -f /etc/pf.conf
    pfctl: DIOCBEGINRULES: Operation not supported by device

    what device ?

    /PeO

    Comments

    1. By Anonymous Coward () on

      The /dev/pf device. You need to update pfctl too. In fact, you should always track -current completely (userland too), not just the kernel.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]