Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/dist/pf import pf from OpenBSD 3.6. (userland part)
details: https://anonhg.NetBSD.org/src/rev/089bfb501a24
branches: trunk
changeset: 571220:089bfb501a24
user: yamt <yamt%NetBSD.org@localhost>
date: Sun Nov 14 11:08:58 2004 +0000
description:
import pf from OpenBSD 3.6. (userland part)
diffstat:
dist/pf/etc/pf.conf | 31 +
dist/pf/etc/pf.os | 642 +++++++
dist/pf/etc/spamd.conf | 86 +
dist/pf/sbin/pfctl/Makefile | 11 +-
dist/pf/sbin/pfctl/pfctl_optimize.c | 1557 +++++++++++++++++++
dist/pf/sbin/pflogd/pflogd.c | 18 +-
dist/pf/sbin/pflogd/privsep.c | 14 +-
dist/pf/sbin/pflogd/privsep_fdpass.c | 6 +-
dist/pf/share/man/man4/pf.4 | 1099 +++++++++++++
dist/pf/share/man/man4/pflog.4 | 89 +
dist/pf/share/man/man5/pf.conf.5 | 2729 ++++++++++++++++++++++++++++++++++
dist/pf/share/man/man5/pf.os.5 | 242 +++
dist/pf/share/man/man5/spamd.conf.5 | 190 ++
dist/pf/share/pf/Makefile | 13 +
dist/pf/share/pf/ackpri | 32 +
dist/pf/share/pf/faq-example1 | 47 +
dist/pf/share/pf/faq-example2 | 88 +
dist/pf/share/pf/faq-example3 | 118 +
dist/pf/share/pf/queue1 | 22 +
dist/pf/share/pf/queue2 | 28 +
dist/pf/share/pf/queue3 | 15 +
dist/pf/share/pf/queue4 | 19 +
dist/pf/share/pf/spamd | 7 +
23 files changed, 7089 insertions(+), 14 deletions(-)
diffs (truncated from 7299 to 300 lines):
diff -r 3c71382fa5d8 -r 089bfb501a24 dist/pf/etc/pf.conf
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/pf/etc/pf.conf Sun Nov 14 11:08:58 2004 +0000
@@ -0,0 +1,31 @@
+# $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
+#
+# See pf.conf(5) and /usr/share/pf for syntax and examples.
+# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
+# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
+
+#ext_if="ext0"
+#int_if="int0"
+
+#table <spamd> persist
+#table <spamd-white> persist
+
+#scrub in
+
+#nat on $ext_if from !($ext_if) -> ($ext_if:0)
+#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
+#rdr pass on $ext_if proto tcp from <spamd> to port smtp \
+# -> 127.0.0.1 port spamd
+#rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
+# -> 127.0.0.1 port spamd
+
+#block in
+#pass out keep state
+
+#pass quick on { lo $int_if }
+#antispoof quick for { lo $int_if }
+
+#pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
+#pass in on $ext_if proto tcp to ($ext_if) port > 49151 user proxy keep state
+#pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state
+#pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state
diff -r 3c71382fa5d8 -r 089bfb501a24 dist/pf/etc/pf.os
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/pf/etc/pf.os Sun Nov 14 11:08:58 2004 +0000
@@ -0,0 +1,642 @@
+# $OpenBSD: pf.os,v 1.17 2004/04/28 01:01:27 deraadt Exp $
+# passive OS fingerprinting
+# -------------------------
+#
+# SYN signatures. Those signatures work for SYN packets only (duh!).
+#
+# (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf%coredump.cx@localhost>
+# (C) Copyright 2003 by Mike Frantzen <frantzen%w4g.org@localhost>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+#
+#
+# This fingerprint database is adapted from Michal Zalewski's p0f passive
+# operating system package. The last database sync was from a Nov 3 2003
+# p0f.fp.
+#
+#
+# Each line in this file specifies a single fingerprint. Please read the
+# information below carefully before attempting to append any signatures
+# reported as UNKNOWN to this file to avoid mistakes.
+#
+# We use the following set metrics for fingerprinting:
+#
+# - Window size (WSS) - a highly OS dependent setting used for TCP/IP
+# performance control (max. amount of data to be sent without ACK).
+# Some systems use a fixed value for initial packets. On other
+# systems, it is a multiple of MSS or MTU (MSS+40). In some rare
+# cases, the value is just arbitrary.
+#
+# NEW SIGNATURE: if p0f reported a special value of 'Snn', the number
+# appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn'
+# means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the
+# value of nn is not fixed (unlikely), just copy the Snn or Tnn token
+# literally. If you know this device has a simple stack and a fixed
+# MTU, you can however multiply S value by MSS, or T value by MSS+40,
+# and put it instead of Snn or Tnn.
+#
+# If WSS otherwise looks like a fixed value (for example a multiple
+# of two), or if you can confirm the value is fixed, please quote
+# it literally. If there's no apparent pattern in WSS chosen, you
+# should consider wildcarding this value.
+#
+# - Overall packet size - a function of all IP and TCP options and bugs.
+#
+# NEW SIGNATURE: Copy this value literally.
+#
+# - Initial TTL - We check the actual TTL of a received packet. It can't
+# be higher than the initial TTL, and also shouldn't be dramatically
+# lower (maximum distance is defined as 40 hops).
+#
+# NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally.
+# You need to determine the initial TTL. The best way to do it is to
+# check the documentation for a remote system, or check its settings.
+# A fairly good method is to simply round the observed TTL up to
+# 32, 64, 128, or 255, but it should be noted that some obscure devices
+# might not use round TTLs (in particular, some shoddy appliances use
+# "original" initial TTL settings). If not sure, you can see how many
+# hops you're away from the remote party with traceroute or mtr.
+#
+# - Don't fragment flag (DF) - some modern OSes set this to implement PMTU
+# discovery. Others do not bother.
+#
+# NEW SIGNATURE: Copy this value literally.
+#
+# - Maximum segment size (MSS) - this setting is usually link-dependent. P0f
+# uses it to determine link type of the remote host.
+#
+# NEW SIGNATURE: Always wildcard this value, except for rare cases when
+# you have an appliance with a fixed value, know the system supports only
+# a very limited number of network interface types, or know the system
+# is using a value it pulled out of nowhere. Specific unique MSS
+# can be used to tell Google crawlbots from the rest of the population.
+#
+# - Window scaling (WSCALE) - this feature is used to scale WSS.
+# It extends the size of a TCP/IP window to 32 bits. Some modern
+# systems implement this feature.
+#
+# NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set
+# to zero or other low value. There's usually no need to wildcard this
+# parameter.
+#
+# - Timestamp - some systems that implement timestamps set them to
+# zero in the initial SYN. This case is detected and handled appropriately.
+#
+# - Selective ACK permitted - a flag set by systems that implement
+# selective ACK functionality.
+#
+# - The sequence of TCP all options (MSS, window scaling, selective ACK
+# permitted, timestamp, NOP). Other than the options previously
+# discussed, p0f also checks for timestamp option (a silly
+# extension to broadcast your uptime ;-), NOP options (used for
+# header padding) and sackOK option (selective ACK feature).
+#
+# NEW SIGNATURE: Copy the sequence literally.
+#
+# To wildcard any value (except for initial TTL or TCP options), replace
+# it with '*'. You can also use a modulo operator to match any values
+# that divide by nnn - '%nnn'.
+#
+# Fingerprint entry format:
+#
+# wwww:ttt:D:ss:OOO...:OS:Version:Subtype:Details
+#
+# wwww - window size (can be *, %nnn, Snn or Tnn). The special values
+# "S" and "T" which are a multiple of MSS or a multiple of MTU
+# respectively.
+# ttt - initial TTL
+# D - don't fragment bit (0 - not set, 1 - set)
+# ss - overall SYN packet size
+# OOO - option value and order specification (see below)
+# OS - OS genre (Linux, Solaris, Windows)
+# Version - OS Version (2.0.27 on x86, etc)
+# Subtype - OS subtype or patchlevel (SP3, lo0)
+# details - Generic OS details
+#
+# If OS genre starts with '*', p0f will not show distance, link type
+# and timestamp data. It is useful for userland TCP/IP stacks of
+# network scanners and so on, where many settings are randomized or
+# bogus.
+#
+# If OS genre starts with @, it denotes an approximate hit for a group
+# of operating systems (signature reporting still enabled in this case).
+# Use this feature at the end of this file to catch cases for which
+# you don't have a precise match, but can tell it's Windows or FreeBSD
+# or whatnot by looking at, say, flag layout alone.
+#
+# Option block description is a list of comma or space separated
+# options in the order they appear in the packet:
+#
+# N - NOP option
+# Wnnn - window scaling option, value nnn (or * or %nnn)
+# Mnnn - maximum segment size option, value nnn (or * or %nnn)
+# S - selective ACK OK
+# T - timestamp
+# T0 - timestamp with a zero value
+#
+# To denote no TCP options, use a single '.'.
+#
+# Please report any additions to this file, or any inaccuracies or
+# problems spotted, to the maintainers: lcamtuf%coredump.cx@localhost,
+# frantzen%openbsd.org@localhost and bugs%openbsd.org@localhost with a tcpdump packet
+# capture of the relevant SYN packet(s)
+#
+# A test and submission page is available at
+# http://lcamtuf.coredump.cx/p0f-help/
+#
+#
+# WARNING WARNING WARNING
+# -----------------------
+#
+# Do not add a system X as OS Y just because NMAP says so. It is often
+# the case that X is a NAT firewall. While nmap is talking to the
+# device itself, p0f is fingerprinting the guy behind the firewall
+# instead.
+#
+# When in doubt, use common sense, don't add something that looks like
+# a completely different system as Linux or FreeBSD or LinkSys router.
+# Check DNS name, establish a connection to the remote host and look
+# at SYN+ACK - does it look similar?
+#
+# Some users tweak their TCP/IP settings - enable or disable RFC1323
+# functionality, enable or disable timestamps or selective ACK,
+# disable PMTU discovery, change MTU and so on. Always compare a new rule
+# to other fingerprints for this system, and verify the system isn't
+# "customized" before adding it. It is OK to add signature variants
+# caused by a commonly used software (personal firewalls, security
+# packages, etc), but it makes no sense to try to add every single
+# possible /proc/sys/net/ipv4 tweak on Linux or so.
+#
+# KEEP IN MIND: Some packet firewalls configured to normalize outgoing
+# traffic (OpenBSD pf with "scrub" enabled, for example) will, well,
+# normalize packets. Signatures will not correspond to the originating
+# system (and probably not quite to the firewall either).
+#
+# NOTE: Try to keep this file in some reasonable order, from most to
+# least likely systems. This will speed up operation. Also keep most
+# generic and broad rules near the end.
+#
+
+##########################
+# Standard OS signatures #
+##########################
+
+# ----------------- AIX ---------------------
+
+# AIX is first because its signatures are close to NetBSD, MacOS X and
+# Linux 2.0, but it uses a fairly rare MSSes, at least sometimes...
+# This is a shoddy hack, though.
+
+45046:64:0:44:M*: AIX:4.3::AIX 4.3
+16384:64:0:44:M512: AIX:4.3:2-3:AIX 4.3.2 and earlier
+
+16384:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
+16384:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
+32768:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
+32768:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
+65535:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
+65535:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
+65535:64:0:64:M*,N,W1,N,N,T,N,N,S: AIX:5.3:ML1:AIX 5.3 ML1
+
+# ----------------- Linux -------------------
+
+# S1:64:0:44:M*:A: Linux:1.2::Linux 1.2.x (XXX quirks support)
+512:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x
+16384:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x
+
+# Endian snafu! Nelson says "ha-ha":
+2:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac
+64:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac
+
+
+S4:64:1:60:M1360,S,T,N,W0: Linux:google::Linux (Google crawlbot)
+
+S2:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4 (big boy)
+S3:64:1:60:M*,S,T,N,W0: Linux:2.4:18-21:Linux 2.4.18 and newer
+S4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4/2.6
+S4:64:1:60:M*,S,T,N,W0: Linux:2.6::Linux 2.4/2.6
+
+S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 (sometimes 2.4)
+S4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6
+S3:64:1:60:M*,S,T,N,W2: Linux:2.5::Linux 2.5 (sometimes 2.4)
+S4:64:1:60:M*,S,T,N,W2: Linux:2.5::Linux 2.5 (sometimes 2.4)
+
+S20:64:1:60:M*,S,T,N,W0: Linux:2.2:20-25:Linux 2.2.20 and newer
+S22:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2
+S11:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2
+
+# Popular cluster config scripts disable timestamps and
+# selective ACK:
+S4:64:1:48:M1460,N,W0: Linux:2.4:cluster:Linux 2.4 in cluster
+
+# This needs to be investigated. On some systems, WSS
+# is selected as a multiple of MTU instead of MSS. I got
+# many submissions for this for many late versions of 2.4:
+T4:64:1:60:M1412,S,T,N,W0: Linux:2.4::Linux 2.4 (late, uncommon)
+
+# This happens only over loopback, but let's make folks happy:
+32767:64:1:60:M16396,S,T,N,W0: Linux:2.4:lo0:Linux 2.4 (local)
+S8:64:1:60:M3884,S,T,N,W0: Linux:2.2:lo0:Linux 2.2 (local)
+
+# Opera visitors:
+16384:64:1:60:M*,S,T,N,W0: Linux:2.2:Opera:Linux 2.2 (Opera?)
+32767:64:1:60:M*,S,T,N,W0: Linux:2.4:Opera:Linux 2.4 (Opera?)
+
+# Some fairly common mods:
+S4:64:1:52:M*,N,N,S,N,W0: Linux:2.4:ts:Linux 2.4 w/o timestamps
+S22:64:1:52:M*,N,N,S,N,W0: Linux:2.2:ts:Linux 2.2 w/o timestamps
+
+
+# ----------------- FreeBSD -----------------
+
Home |
Main Index |
Thread Index |
Old Index