diff options
Diffstat (limited to 'static/freebsd/man5/pf.os.5 3.html')
| -rw-r--r-- | static/freebsd/man5/pf.os.5 3.html | 168 |
1 files changed, 168 insertions, 0 deletions
diff --git a/static/freebsd/man5/pf.os.5 3.html b/static/freebsd/man5/pf.os.5 3.html new file mode 100644 index 00000000..d3edd8b3 --- /dev/null +++ b/static/freebsd/man5/pf.os.5 3.html @@ -0,0 +1,168 @@ +<table class="head"> + <tr> + <td class="head-ltitle">PF.OS(5)</td> + <td class="head-vol">File Formats Manual</td> + <td class="head-rtitle">PF.OS(5)</td> + </tr> +</table> +<div class="manual-text"> +<section class="Sh"> +<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1> +<p class="Pp"><code class="Nm">pf.os</code> — <span class="Nd">format of + the operating system fingerprints file</span></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1> +<p class="Pp">The <a class="Xr">pf(4)</a> firewall and the + <a class="Xr">tcpdump(1)</a> program can both fingerprint the operating + system of hosts that originate an IPv4 TCP connection. The file consists of + newline-separated records, one per fingerprint, containing nine colon + (‘<code class="Li">:</code>’) separated fields. These fields + are as follows:</p> +<p class="Pp"></p> +<div class="Bd-indent"> +<dl class="Bl-tag Bl-compact"> + <dt>window</dt> + <dd>The TCP window size.</dd> + <dt>TTL</dt> + <dd>The IP time to live.</dd> + <dt>df</dt> + <dd>The presence of the IPv4 don't fragment bit.</dd> + <dt>packet size</dt> + <dd>The size of the initial TCP packet.</dd> + <dt>TCP options</dt> + <dd>An ordered list of the TCP options.</dd> + <dt>class</dt> + <dd>The class of operating system.</dd> + <dt>version</dt> + <dd>The version of the operating system.</dd> + <dt>subtype</dt> + <dd>The subtype of patchlevel of the operating system.</dd> + <dt>description</dt> + <dd>The overall textual description of the operating system, version and + subtype.</dd> +</dl> +</div> +<p class="Pp">The <var class="Ar">window</var> field corresponds to the + th->th_win field in the TCP header and is the source host's advertised + TCP window size. It may be between zero and 65,535 inclusive. The window + size may be given as a multiple of a constant by prepending the size with a + percent sign ‘%’ and the value will be used as a modulus. + Three special values may be used for the window size:</p> +<p class="Pp"></p> +<div class="Bd-indent"> +<dl class="Bl-tag Bl-compact"> + <dt>*</dt> + <dd>An asterisk will wildcard the value so any window size will match.</dd> + <dt>S</dt> + <dd>Allow any window size which is a multiple of the maximum segment size + (MSS).</dd> + <dt>T</dt> + <dd>Allow any window size which is a multiple of the maximum transmission unit + (MTU).</dd> +</dl> +</div> +<p class="Pp">The <var class="Ar">ttl</var> value is the initial time to live in + the IP header. The fingerprint code will account for the volatility of the + packet's TTL as it traverses a network.</p> +<p class="Pp">The <var class="Ar">df</var> bit corresponds to the Don't Fragment + bit in an IPv4 header. It tells intermediate routers not to fragment the + packet and is used for path MTU discovery. It may be either a zero or a + one.</p> +<p class="Pp">The <var class="Ar">packet size</var> is the literal size of the + full IP packet and is a function of all of the IP and TCP options.</p> +<p class="Pp">The <var class="Ar">TCP options</var> field is an ordered list of + the individual TCP options that appear in the SYN packet. Each option is + described by a single character separated by a comma and certain ones may + include a value. The options are:</p> +<p class="Pp"></p> +<div class="Bd-indent"> +<dl class="Bl-tag Bl-compact"> + <dt>Mnnn</dt> + <dd>maximum segment size (MSS) option. The value is the maximum packet size of + the network link which may include the ‘%’ modulus or match + all MSSes with the ‘*’ value.</dd> + <dt>N</dt> + <dd>the NOP option (NO Operation).</dd> + <dt>T[0]</dt> + <dd>the timestamp option. Certain operating systems always start with a zero + timestamp in which case a zero value is added to the option; otherwise no + value is appended.</dd> + <dt>S</dt> + <dd>the Selective ACKnowledgement OK (SACKOK) option.</dd> + <dt>Wnnn</dt> + <dd>window scaling option. The value is the size of the window scaling which + may include the ‘%’ modulus or match all window scalings + with the ‘*’ value.</dd> +</dl> +</div> +<p class="Pp">No TCP options in the fingerprint may be given with a single dot + ‘.’.</p> +<p class="Pp">An example of OpenBSD's TCP options are:</p> +<p class="Pp"></p> +<div class="Bd Bd-indent"><code class="Li">M*,N,N,S,N,W0,N,N,T</code></div> +<p class="Pp">The first option <var class="Ar">M*</var> is the MSS option and + will match all values. The second and third options <var class="Ar">N</var> + will match two NOPs. The fourth option <var class="Ar">S</var> will match + the SACKOK option. The fifth <var class="Ar">N</var> will match another NOP. + The sixth <var class="Ar">W0</var> will match a window scaling option with a + zero scaling size. The seventh and eighth <var class="Ar">N</var> options + will match two NOPs. And the ninth and final option <var class="Ar">T</var> + will match the timestamp option with any time value.</p> +<p class="Pp">The TCP options in a fingerprint will only match packets with the + exact same TCP options in the same order.</p> +<p class="Pp">The <var class="Ar">class</var> field is the class, genre or + vendor of the operating system.</p> +<p class="Pp">The <var class="Ar">version</var> is the version of the operating + system. It is used to distinguish between different fingerprints of + operating systems of the same class but different versions.</p> +<p class="Pp">The <var class="Ar">subtype</var> is the subtype or patch level of + the operating system version. It is used to distinguish between different + fingerprints of operating systems of the same class and same version but + slightly different patches or tweaking.</p> +<p class="Pp">The <var class="Ar">description</var> is a general description of + the operating system, its version, patchlevel and any further useful + details.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="EXAMPLES"><a class="permalink" href="#EXAMPLES">EXAMPLES</a></h1> +<p class="Pp">The fingerprint of a plain <span class="Ux">OpenBSD 3.3</span> + host is:</p> +<div class="Bd Pp Li"> +<pre> 16384:64:1:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3::OpenBSD 3.3</pre> +</div> +<p class="Pp">The fingerprint of an <span class="Ux">OpenBSD 3.3</span> host + behind a PF scrubbing firewall with a no-df rule would be:</p> +<div class="Bd Pp Li"> +<pre> 16384:64:0:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3:!df:OpenBSD 3.3 scrub no-df</pre> +</div> +<p class="Pp">An absolutely braindead embedded operating system fingerprint + could be:</p> +<div class="Bd Pp Li"> +<pre> 65535:255:0:40:.:DUMMY:1.1:p3:Dummy embedded OS v1.1p3</pre> +</div> +<p class="Pp">The <a class="Xr">tcpdump(1)</a> output of</p> +<div class="Bd Pp Li"> +<pre> # tcpdump -s128 -c1 -nv 'tcp[13] == 2' + 03:13:48.118526 10.0.0.1.3377 > 10.0.0.2.80: S [tcp sum ok] \ + 534596083:534596083(0) win 57344 <mss 1460> (DF) [tos 0x10] \ + (ttl 64, id 11315, len 44)</pre> +</div> +<p class="Pp">almost translates into the following fingerprint</p> +<div class="Bd Pp Li"> +<pre> 57344:64:1:44:M1460: exampleOS:1.0::exampleOS 1.0</pre> +</div> +</section> +<section class="Sh"> +<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE + ALSO</a></h1> +<p class="Pp"><a class="Xr">tcpdump(1)</a>, <a class="Xr">pf(4)</a>, + <a class="Xr">pf.conf(5)</a>, <a class="Xr">pfctl(8)</a></p> +</section> +</div> +<table class="foot"> + <tr> + <td class="foot-date">May 31, 2007</td> + <td class="foot-os">FreeBSD 15.0</td> + </tr> +</table> |