Contributed by jose on from the ink-on-your-hands dept.
Part of the commit messages reads:
Date: Thu, 21 Aug 2003 13:12:09 -0600 (MDT) From: Mike FrantzenThis also adds a -o option to tcpdump(8) which lets you view the OS based on SYN fingerprinting. Thanks guys, this is pretty insane stuff now.Subject: CVS: cvs.openbsd.org: src CVSROOT: /cvs Module name: src Changes by: frantzen@cvs.openbsd.org 2003/08/21 13:12:09 Modified files: sys/conf : files sys/net : pf.c pf_ioctl.c pf_norm.c pfvar.h sbin/pfctl : Makefile parse.y pfctl.8 pfctl.c pfctl_parser.c pfctl_parser.h Added files: sys/net : pf_osfp.c sbin/pfctl : pfctl_osfp.c Log message: Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF. Exposes the source IP's operating system to the filter language. Interesting policy decisions are now enforceable: . block proto tcp from any os SCO . block proto tcp from any os Windows to any port smtp . rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001
(Comments are closed)
By Daniel Hartmeier () daniel@benzedrine.cx on http://www.benzedrine.cx/pf.html
Blocking (or redirecting to spamd) incoming SMTP connections from Windows hosts very effectively blocks the currently spreading sobig.f virus. I wasn't sure how many legitimate peers use Windows relays, but the test shows that even peers using Windows clients relay throgh (their ISPs) Unix. YMMV.
Please visit
http://lcamtuf.coredump.cx/p0f-help
and help build an accurate fingerprint database.
By Anonymous Coward () on
Thank you OpenBSD and pf gods
Comments
By map-ip-to-name () nobody@localhost on http://phrack.efnet.ru/phrack/opencult/
Comments
By Anonymous Coward () on
By krh () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
For example, when he helped scare away DARPA funding for the Hackathon, someone told him that he can make an independant deal with the hotel despite DARPA's refusal to allow their deposit to be used. He called the guy a moron instead of doing 15 seconds of googling to find out that hotel rates are just about INFINITELY variable. Anyone who has more brain cells than George W Bush knows that. But, surprise surprise, Theo didn't.
I agree with the grandparent 100%.
By Anonymous Coward () on
Is there anything left that pf can't do?
Comments
By Angel Todorov () atodorov@acm.org on mailto:atodorov@acm.org
Comments
By jose () on http://monkey.org/~jose/
man brconfig for layer 2 filtering. very easy to do, but its not pf's domain.
Comments
By Jason Dixon () jason@dixongroup.net on mailto:jason@dixongroup.net
Brconfig and PF in -current support tagging at layer 2 and filtering at layer 3, based on those tags. In brconfig(8) , check out the "tag" example towards the bottom. In pf.conf(5) , look for the "tagged" filtering parameter.
-J.
By Anonymous Coward () on
Comments
By Brad () on
By Jason Dixon () jason@dixongroup.net on mailto:jason@dixongroup.net
-J.
By Anonymous Coward () on
pf just doesn't filter at that layer, so this will never happen.
By henning () henning@openbsd.org on mailto:henning@openbsd.org
some months back I added code do that you can tag packets in the bridge filter, and filter based on those tags in pf.
Comments
By Anonymous Coward () on
Is it documented somewhere or can you tell us how?
Thanks for your work in the OpenBSD project
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By djm () on
Actually, such an ability exists now - but one has to use application level proxies which must persist for the lifetime of the session (see how ftp-proxy works).
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Eduardo Alvarenga () on
By Anonymous Coward () on
pass out
pass in
pass out
with those kinds of skills, who wouldn't want you?
Comments
By krh () on
By bryan () bryan@integrity.com on mailto:bryan@integrity.com
Comments
By Anonymous Coward () on
Comments
By Pete () pete@pimp.as on mailto:pete@pimp.as
Comments
By Anonymous Coward () on
You'd place the secondary firewall in blocking mode initially. When the primary goes down, the secondary unblocks...
You can also do some fancy tricks with OSPF and loopback interfaces to acheive similar results.
Comments
By Anonymous Coward () on
Comments
By earx () on
By Anonymous Coward () on
By grey () on
There have even been a couple of (ok, well I can think of one) firewall failover implementations (iirc some firewall+IPSec product on Vax clusters) which could even keep state for IPSec sessions without needing to reauthenticate.
I really don't know how deep attempts at stateful failover are going for pf. I imagine that they want to do it well - and given the hurdles of doing so without encroaching on patents, I guess it's understandable that this feature is taking a lot of time to work on.
Comments
By Anonymous Coward () on
2 totally seperate things.
BTW- Checkpoint can even do IPSEC Clusters (ala, gateway clusters)
By m0nknutz () on
Comments
By Brad () on
By Anonymous Coward () ben@zouh.org on mailto:ben@zouh.org
For instance: to be able to limit syn paquets for ip xx port yy at a maxi of zz per seconds per client (meaning: zz/second for each client, not for all clients).
Of course the altq code allows us to rate limit traffic. But restrictions stands for a whole class unless we know the flooder ip or network when we write the ruleset.
Same effect when tuning the internal limits of pf (like tcp.established) for a given service: a flooder won't overload the server, but can disallow acess to this service by consuming all "limit-defined" ressources .
Something very usefull would allow us to limit, for each rule, the number of matches (ie: syn connexions) for the same client per second, rather than limiting it globaly, for all hosts or a part of all hosts.
This would protect us in several case:
- protect slow or ressource consuming network applications and services (heavy cgis, slow servers ...) to accept too much connexion for the same host.
- disallow all unexpected clients behaviors (how could someone request more than 2 pop3 cnx/sec ?)
- limit syn|icmp|... floods more accurately (by limiting only the attacker) and without side-effects.
Maybe this could be acheived with some existing pf feature: in this case, please, teach me the trick !
(and in all cases: apologize for my english ...).
Comments
By Anonymous Coward () ben@zouh.org on mailto:ben@zouh.org
This could be done by replacing inetd by xinetd.
Only for inetd -- not standalone -- services.
ps: why OpenBSD-inetd don't do that ?
By Anonymous Coward () on
StatiK76
By Anonymous Coward () on
pass ... keep state(limit NNN)
By Anonymous Coward () on
recursive macros (and allowing (if) syntax in tables) would be very usefull.
Comments
By djm () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
There are even a few posts on this page that are of the divisive nature. We fall short of the goal of world peace brokerage on a grand scale.
By Anonymous Coward () on
atlest with netfilter this kind of crap is modular and you can keep it out of your kernel. looks like we'll be needing "option WITHOUT_PF_BLOAT" in 3.4..
Comments
By Anonymous Coward () on
It may not be incredible practical for most real-world apps, but someone will use it. Besides, its damned cool. The fact that I can have my firewall automatically block Windows 95/98 (NON 2K/XP) users, thats damned cool.
By djm () on
It is simple, tiny and only invoked once per TCP SYN packet and then only if you explicitly turn it on in pf.conf (via a "os XXX" directive).
Don't like it? Don't use it.
By Anonymous Coward () on
What was a good point for pf (not to be overbloated like netfilter) is sadly becoming false.
Comments
By Anonymous Coward () on
Because of this very 1 feature? hahaha! I agree! lol.
I'm wondering if you have seen too many black/white movies.
Comments
By Anonymous Coward () on
Netfilter just started like that ...
What I meant was not to forbid new features but to have MODULES for stuff like that.
Comments
By vincent () on
if you find it is too bloated in 2 days, THEN whine, if it's not this particular change that bothers you (especially since, as others have said, it has no impact unless you activate it)
-Vincent
Comments
By Anonymous Coward () on
be serious ! such a thing has nothing to do in a kernel ! even netfilter people understand that !
Comments
By zelda () on
Oh, wait a sec... you got me there :-)
Like Vincent said: it doesn't matter when you don't activate it. You can always make your own custom kernel.
By Anonymous Coward () on
This is a good feature to have. The calculation of the OS fingerprint is done only once per connection, and if you want to remove that aswell, you are welcome to write a proper event mechanism and respective userland daemon. :)
By Anonymous Coward () on
This is a good feature to have. The calculation of the OS fingerprint is done only once per connection, and if you want to remove that aswell, you are welcome to write a proper event mechanism and respective userland daemon. :)
By henning () heninng@openbsd.org on mailto:heninng@openbsd.org
> to have MODULES for stuff like that.
you obviously have no idea what a security disaster that would be.
the idea alone of loading code into kernel space at runtime is pretty sick...
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
For example your corporate policy is that all laptops must be running Windows 2000. Now PF can redirect non-conforming desktops to a web page telling them to upgrade "or else".
Keep audit statistics on how many connections were from Windows, MacOS, Linux, other (by putting them in different rules).
Maybe I'm a unix friendly ISP that redirects all Windows SMTP to the ISP mx host and lets non-Windows route their own mail. Policy...
Think beyond the firewall on your DSL or cablemodem line and it'll start making sense.
Comments
By Anonymous Coward () on
Make sure you also accomodate vendors/tech support ppl/etc who come onsite with their on equipment and need to connect offsite.
Keep audit statistics on how many connections were from Windows, MacOS, Linux, other (by putting them in different rules).
Why not do this on a per-service basis? I care that win/IE6 hit my website, not just win vs. openbsd, etc.
Maybe I'm a unix friendly ISP that redirects all Windows SMTP to the ISP mx host and lets non-Windows route their own mail.
I suppose...
Think beyond the firewall on your DSL or cablemodem line and it'll start making sense.
I have been. I guess this could be useful for honeypots, you might want to rdr nix attackers to one honeypot and win attackers to another. Or for services that don't otherwise keep OS but you want to do something by OS, like rdr dhcp requests from macs to one if and one range, another for win, etc.
It just really seems to me that most uses for this should be done in userland by the service. I understand that it will be faster and more efficient in kernel, but the same is true of services - a webserver in kernel will be faster than in userland. How many uses are there for this tech that could not be done in userland?
Comments
By tedu () on
Comments
By Anonymous Coward () on
Comments
By frantzen () on
btw, you're still confusing security with policy. they're whole different beasts
By Anonymous Coward () on
That is interesting. It seems like a really weird place to enforce an OS policy though...
Maybe I'm a unix friendly ISP that redirects all Windows SMTP to the ISP mx host and lets non-Windows route their own mail. Policy...
Policy attempting to be security? Why else would you do that? It's not Unix friendly, it's Windows hostile.
Think beyond the firewall on your DSL or cablemodem line and it'll start making sense.
I'm afraid it won't, we can't all be as gifted as you are.
Besides which, the first thought on everyone's mind is "ooh, we can block out all those Windows worms!" You can, but this is the wrong solution. If Windows machines have no business connecting on port 447, no one does. Same goes for viruses going out on SMTP.
By Anonymous Coward () on
Comments
By Shane Lahey () s.lahey@roadrunner.nf.net on http://craz1.homelinux.com
By Wijnand () on http://NedBSD.nl
Comments
By map-ip-to-name () nobody@localhost on http://phrack.efnet.ru/phrack/opencult/
Comments
By Wijnand () on http://NedBSD.nl
By map-ip-to-name () nobody@localhost on http://phrack.efnet.ru/phrack/opencult/
indeed!
http://phrack.efnet.ru/phrack/opencult/
Comments
By Anonymous Coward () on
*lol* Looks like Theo has a new admirer!
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Gobbles Mommy () on http://stargliders.org/phrack/mmhs.jpg
BI GUYS!
Comments
By Anonymous Coward () on
Yes, you have no life.
By Anonymous Coward () on
By Anonymous Coward () Coward@deadly.org on mailto:Coward@deadly.org
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Now I like my ISP even more *g* :)
Comments
By map-ip-to-name () nobody@localhost on http://phrack.efnet.ru/phrack/opencult/
Comments
By Brad () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By Ed () on http://www.stearns.org/p0f/README
The p0f utility and related utilities are free software; you can
redistribute it and/or modify it under the terms of the GNU Library
General Public License as published by the Free Software Foundation;
either version 2 of the License, or (at your option) any later
version.
----------------------------------------------
p0f is GPLed.
How much is "derived work" your code ?
Comments
By Ulysses () on
Comments
By djm () on
By jose () on http://monkey.org/~jose/
By frantzen () on
actually I did p0f v1 first which Zalewski and Stearns both had a copyright on. Stearns never responded to my request to relicense a derivitive of the database. then Zalewski had some ideas for p0f v2, he started on it, it required a whole new database from scratch with nothing from Stearns, I rewrote PF's fingerprinting to use the v2 algorithm and database, and the sole copyright owner Zalewski allowed me to release a deriviation of the database under a BSD style license.
we're VERY paranoid about licensing in the OpenBSD camp; even before the whole SCO bullshit
Comments
By Anonymous Coward () on
I thought that once code is GPL'ed, it remains forever GPL'ed. I read sometime ago about some software that was GPL'ed and it was "too late" to change it to a less-restrictive license. Is it actually possible to "re-license" GPL'ed code? What happens when there are two duplicate copies of the same code in circulation - one GPL'ed, and one BSD-licensed?
If you can answer these questions, and if someone can point me to any site that accurately summarizes all these opensource license issues, I'll be really thankful.
Comments
By Sam () on
The earlier version will always be under the GPL and that can not be revoked for that version. But later versions can be under any license you like if the copyright owners of the code all agree.
Comments
By Anonymous Coward () on
By Anil () avsm@ on mailto:avsm@
By Anonymous Coward () on
The README said something to the effect that the fingerprinting device has to receive a SYN packet (but also says it doesn't have to do anything to it - I'm assuming they're meaning that it doesn't have to do a SYN+ACK or anything such as that) which leads me to my question... Could this work transparently and passively on a transparent bridge, using OpenBSD?
Might be a dumb question to some, but I'm curious.
TIA!
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By Z-Blocker () on
Something like "set timeout tcp.finwait port 80"
This is possible in CheckPoint but not (yet) with pf.
Comments
By Anonymous Coward () on
pass proto tcp to any port 80 keep state (tcp.closing 10)
By Philipp () pb@ on mailto:pb@
see, pf.conf(5) 'STATEFUL TRACKING OPTIONS':
pass in proto tcp from any to any
port www flags S/SA keep state
(max 100, tcp.established 60, tcp.closing 5)
Case closed. ;)
//pb@
Comments
By Z-Blocker () on
I like pf more and more :)
Comments
By Sam () on
Because it probably is.
Comments
By Z-Blocker () on
Failover and clustering is on the way I guess.
Comments
By Anonymous Coward () on
Comments
By Z-Blocker () on
In some situations people want 0 downtime.
Everything is then failover: 2 leased lines, 2 routers, 2 firewalls and 2 routers again.
Most people want failover because they don't want to rely for 100% on 1 box.
If pf could provide that, then it is less far away from an enterprise firewall.
Z
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
That's just obscurity though.
Um... that's precisely the point...?
By PeO () on
# pfctl -f /etc/pf.conf
pfctl: DIOCBEGINRULES: Operation not supported by device
what device ?
/PeO
Comments
By Anonymous Coward () on