Title: Filtering TCP connections by operating system on OpenBSD
       Author: Solène
       Date: 06 February 2021
       Tags: openbsd security
       Description: 
       
       # Introduction
       
       In this text I will explain how to filter TCP connections by operating
       system using OpenBSD Packet filter.
       
 (HTM) OpenBSD pf.conf man page about OS Fingerprinting
       
       # Explanations
       
       Every operating system has its own way to construct some SYN packets,
       this is called Fingerprinting because it permits to identify which OS
       sent which packet.  This must be clear it's not a perfect filter and
       may be easily get bypassed if you want to.
       Because if some packets required to identify the operating system, only
       TCP connections can be filtered by OS.  The OS list and SYN values can
       be found in the file /etc/pf.os.
       
       # How to setup
       
       The keyword "os $value" must be used within the "from $address"
       keyword.  I use it to restrict the ssh connection to my server only to
       OpenBSD systems (in addition to key authentication).
       
       ```OpenBSD packet filter configuration file including comments
       # only allow OpenBSD hosts to connect
       pass in on egress inet proto tcp from any os OpenBSD to (egress) port 22
       
       # allow connections from $home IP whatever the OS is
       pass in on egress inet proto tcp from $home to (egress) port 22
       ```
       
       This can be a very good way to stop unwanted traffic spamming logs but
       should be used with cautiousness because you may incidentally block
       legitimate traffic.