xref: /netbsd-src/dist/pf/share/man/man5/pf.os.5 (revision 4a7a0dc0325d733f5a58d31e9a0b884a671294b8) 
1.\"	$NetBSD: pf.os.5,v 1.7 2018/08/17 12:36:53 maxv Exp $
2.\"	$OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $
3.\"
4.\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
5.\"
6.\" Permission to use, copy, modify, and distribute this software for any
7.\" purpose with or without fee is hereby granted, provided that the above
8.\" copyright notice and this permission notice appear in all copies.
9.\"
10.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17.Dd August 17, 2018
18.Dt PF.OS 5
19.Os
20.Sh NAME
21.Nm pf.os
22.Nd format of the operating system fingerprints file
23.Sh DESCRIPTION
24.Bf -symbolic
25The NetBSD version of PF is obsolete, and its use is strongly discouraged.
26Use
27.Xr npf 7
28instead.
29.Pp
30.Ef
31The
32.Xr pf 4
33firewall and the
34.Xr tcpdump 8
35program can both fingerprint the operating system of hosts that
36originate an IPv4 TCP connection.
37The file consists of newline-separated records, one per fingerprint,
38containing nine colon
39.Pq Ql \&:
40separated fields.
41These fields are as follows:
42.Pp
43.Bl -tag -width Description -offset indent -compact
44.It window
45The TCP window size.
46.It TTL
47The IP time to live.
48.It df
49The presence of the IPv4 don't fragment bit.
50.It packet size
51The size of the initial TCP packet.
52.It TCP options
53An ordered list of the TCP options.
54.It class
55The class of operating system.
56.It version
57The version of the operating system.
58.It subtype
59The subtype of patchlevel of the operating system.
60.It description
61The overall textual description of the operating system, version and subtype.
62.El
63.Pp
64The
65.Ar window
66field corresponds to the th->th_win field in the TCP header and is the
67source host's advertised TCP window size.
68It may be between zero and 65,535 inclusive.
69The window size may be given as a multiple of a constant by prepending
70the size with a percent sign
71.Sq %
72and the value will be used as a modulus.
73Three special values may be used for the window size:
74.Pp
75.Bl -tag -width xxx -offset indent -compact
76.It *
77An asterisk will wildcard the value so any window size will match.
78.It S
79Allow any window size which is a multiple of the maximum segment size (MSS).
80.It T
81Allow any window size which is a multiple of the maximum transmission unit
82(MTU).
83.El
84.Pp
85The
86.Ar ttl
87value is the initial time to live in the IP header.
88The fingerprint code will account for the volatility of the packet's TTL
89as it traverses a network.
90.Pp
91The
92.Ar df
93bit corresponds to the Don't Fragment bit in an IPv4 header.
94It tells intermediate routers not to fragment the packet and is used for
95path MTU discovery.
96It may be either a zero or a one.
97.Pp
98The
99.Ar packet size
100is the literal size of the full IP packet and is a function of all of
101the IP and TCP options.
102.Pp
103The
104.Ar TCP options
105field is an ordered list of the individual TCP options that appear in the
106SYN packet.
107Each option is described by a single character separated by a comma and
108certain ones may include a value.
109The options are:
110.Pp
111.Bl -tag -width Description -offset indent -compact
112.It Mnnn
113maximum segment size (MSS) option.
114The value is the maximum packet size of the network link which may
115include the
116.Sq %
117modulus or match all MSSes with the
118.Sq *
119value.
120.It N
121the NOP option (NO Operation).
122.It T[0]
123the timestamp option.
124Certain operating systems always start with a zero timestamp in which
125case a zero value is added to the option; otherwise no value is appended.
126.It S
127the Selective ACKnowledgement OK (SACKOK) option.
128.It Wnnn
129window scaling option.
130The value is the size of the window scaling which may include the
131.Sq %
132modulus or match all window scalings with the
133.Sq *
134value.
135.El
136.Pp
137No TCP options in the fingerprint may be given with a single dot
138.Sq \&. .
139.Pp
140An example of OpenBSD's TCP options are:
141.Pp
142.Dl M*,N,N,S,N,W0,N,N,T
143.Pp
144The first option
145.Ar M*
146is the MSS option and will match all values.
147The second and third options
148.Ar N
149will match two NOPs.
150The fourth option
151.Ar S
152will match the SACKOK option.
153The fifth
154.Ar N
155will match another NOP.
156The sixth
157.Ar W0
158will match a window scaling option with a zero scaling size.
159The seventh and eighth
160.Ar N
161options will match two NOPs.
162And the ninth and final option
163.Ar T
164will match the timestamp option with any time value.
165.Pp
166The TCP options in a fingerprint will only match packets with the
167exact same TCP options in the same order.
168.Pp
169The
170.Ar class
171field is the class, genre or vendor of the operating system.
172.Pp
173The
174.Ar version
175is the version of the operating system.
176It is used to distinguish between different fingerprints of operating
177systems of the same class but different versions.
178.Pp
179The
180.Ar subtype
181is the subtype or patch level of the operating system version.
182It is used to distinguish between different fingerprints of operating
183systems of the same class and same version but slightly different
184patches or tweaking.
185.Pp
186The
187.Ar description
188is a general description of the operating system, its version,
189patchlevel and any further useful details.
190.Sh EXAMPLES
191The fingerprint of a plain
192.Ox 3.3
193host is:
194.Bd -literal
195  16384:64:1:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3::OpenBSD 3.3
196.Ed
197.Pp
198The fingerprint of an
199.Ox 3.3
200host behind a PF scrubbing firewall with a no-df rule would be:
201.Bd -literal
202  16384:64:0:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3:!df:OpenBSD 3.3 scrub no-df
203.Ed
204.Pp
205An absolutely braindead embedded operating system fingerprint could be:
206.Bd -literal
207  65535:255:0:40:.:DUMMY:1.1:p3:Dummy embedded OS v1.1p3
208.Ed
209.Pp
210The
211.Xr tcpdump 8
212output of
213.Bd -literal
214  # tcpdump -s128 -c1 -nv 'tcp[13] == 2'
215  03:13:48.118526 10.0.0.1.3377 > 10.0.0.2.80: S [tcp sum ok] \e
216      534596083:534596083(0) win 57344 <mss 1460> (DF) [tos 0x10] \e
217      (ttl 64, id 11315, len 44)
218.Ed
219.Pp
220almost translates into the following fingerprint
221.Bd -literal
222  57344:64:1:44:M1460:	exampleOS:1.0::exampleOS 1.0
223.Ed
224.Sh SEE ALSO
225.Xr pf 4 ,
226.Xr pf.conf 5 ,
227.Xr pfctl 8 ,
228.Xr tcpdump 8
229