Block OS Fingerprinting

print    Recently i’ve been doing some testing based on firewall. The test so far was done on a debian (sarge) system and FreeBSD 6.0. On freebsd i’ve used the Packet Filter (pf) to do the  firewall.  After placing all the config files and testing for mistakes i took my first test to see if everything works smoothly.

The very first thing i did was do a port scan using Nmap, Nmap (“Network Mapper”) is a free open source utility for network exploration or security auditing and is a gr8 tool for pen-testing as well. The following screen shot is the first scan i did on a windowz machine where nmap was installed. The scan was made against the hosted freebsd firewall machine:


As you can see, the quick mode scan showed that the firewall machine had only one port open and that the ssh port listening on port:22. As it was hard for the scanner to detect the O.S, but it finally showed that i was running an FreeBSD machine 😦

To thwart Nmap’s efforts, we can employ firewall rules that block packets used for operating-system probes. These are fairly easy to spot, since several of them have invalid combinations of TCP flags. Some of the tests that Nmap performs cannot be blocked by PF by simply adding block rules, but they can be blocked if stateful filtering and a default deny policy have been implemented in the ruleset. This is because some of the tests make use of TCP options, which cannot be filtered with PF.

To block these fingerprinting attempts with FreeBSD’s PF, we can put rules similar to these in our /etc/pf.conf file:

    set block-policy  return

block in log quick proto tcp flags FUP/WEUAPRSF

block in log quick proto tcp flags WEUAPRSF/WEUAPRSF

block in log quick proto tcp flags SRAFU/WEUAPRSF

block in log quick proto tcp flags /WEUAPRSF

block in log quick proto tcp flags SR/SR

    block in log quick proto tcp flags SF/SF

Now let’s look at the results of an Nmap scan after enabling these rules:

nmap -O 


As you can see, this time the attempt was unsuccessful and the fingerprinting was returned with some strings… This evaluates some basic concept of pf firewall on BSD systems, however this can be done on an OpenBSD system too… since i’m a newbie to BSD firewalls – i’ll be doing alot of learning and will keep on posting my success 🙂

hope this gives an idea, if you have a better one or improvement, let me know – till then CIAO 🙂


About this entry