> > is there any option for pf to prevent passive os fingerprinting for the > > clients behind an obsd nat-box? > > Use 'module state' option on your 'pass out' rule to randomize TCP ISN > generation and options 'reassemble tcp timeout modulation', 'random-id' > in your 'scrub' rule.
I've found that this does very little in the way of preventing OS fingerprinting. It does stop outsiders from guessing your uptime, but that's about it. From what I can tell, most OS fingerprinting is based on the window size, ttl, SYN packet size, etc. p0f is very educational if you want to learn about it, especially the p0f.fp file (http://lcamtuf.coredump.cx/p0f.shtml). Setting min-ttl, or max-mss can help, but p0f usually can still guess correctly using fuzzy matching. I've found it much more effective to change some kernel variables. Below are some I've found useful on my FreeBSD systems: net.inet.ip.ttl net.inet.tcp.rfc1323 One of these makes more of a difference than the other, can't remember which: net.inet.tcp.recvspace net.inet.tcp.sendspace Here is a patch I've found to give you some control over TOS: http://lists.freebsd.org/pipermail/freebsd-hackers/2003-May/001078.html Just remember that if you're going to all this trouble to disguise your OS, don't leave your OpenSSH banner on, like I did! :-) Aaron
