|
# Explanations
Every operating system has its own way to construct some SYN packets,
this is called Fingerprinting because it permits to identify which OS
sent which packet. This must be clear it's not a perfect filter and
may be easily get bypassed if you want to.
Because if some packets required to identify the operating system, only
TCP connections can be filtered by OS. The OS list and SYN values can
be found in the file /etc/pf.os.
# How to setup
The keyword "os $value" must be used within the "from $address"
keyword. I use it to restrict the ssh connection to my server only to
OpenBSD systems (in addition to key authentication).
```OpenBSD packet filter configuration file including comments
# only allow OpenBSD hosts to connect
pass in on egress inet proto tcp from any os OpenBSD to (egress) port 22
# allow connections from $home IP whatever the OS is
pass in on egress inet proto tcp from $home to (egress) port 22
```
This can be a very good way to stop unwanted traffic spamming logs but
should be used with cautiousness because you may incidentally block
legitimate traffic. |