The stopping of fingerprinting is an interesting issue. Essentially you must silently drop and not respond to as many things as possible. Responding w/ RST's would be adverse to this goal. The only things I allow from the outside are via this rule: pass in inet proto tcp from any to any port $Services flags S/SAFRPU modulate state
The flags are key to decreasing the chance of fingerprints. Essentially we only allow in a syn packet with no other flags and then keep state. Also, by using scrub in nmap will say you are openbsd 3.0 using scrub. If you wish to cease to appear as openbsd you must also do the following: sysctl -w net.inet.tcp.rfc1323 = 0 this is in regards to sending tcp timestamps which is also a good way to be fingerprintted. This may have adverse affects to your packet transmission, especially in a high latency environment as this disables a sliding window for packet size. Essentially if you really wish to block fingerprintting you must respond only to things that you have to while blocking everything else and silently dropping them. In many cases the benefits of stopping fingerprintting are far outweighed by convience, ie do you really want to drop the packets silently or respond w/ rsts and wouldn't it be nice to be pingable. If you keep your pingable however I would disable icmp timestamps net.inet.icmp.tstamprepl=0 Hope this was somewhat useful. -James > My goals (other than to help prevent being hacked of course ;) are to stop > spoofed packets (I looked at using antispoof but it didn't meet my > requirements) from entering or leaving, to implement some sort of bandwidth > priority and to otherwise to appear to not being running a firewall and to if > possible mask what OS I'm running from fingerprinting. Currently I block > icmp6.
