OpenBSD PF: Filtering traffic by Operating System

I was reading through the PF manual, and came across a section on filtering traffic with “Passive Operating System Fingerprinting”:

PF contains dozens of Operating System fingerprints. The full list of fingerprints can be printed with the pfctl utility:

$ pfctl -s osfp | tail -5
Windows XP RFC1323
Windows XP SP1
Windows XP SP3
Zaurus 3.10

or with one of the available UNIX pagers:

$ tail -5 /etc/pf.os
*:128:1:48:M536,N,N,S: @Windows:98::Windows 98
*:128:1:48:M*,N,N,S: @Windows:XP::Windows XP/2000
*:128:1:48:M*,N,N,S: @Windows:2000::Windows XP/2000

Using the fingerprints listed here, we can filter inbound connections by IP address, TCP/UDP ports, and Operating System:

pass in quick on $ext proto tcp from to any port 22 os OpenBSD keep state

This example will allow OpenBSD systems with an IP address in the network to ssh to any machine on our network. This has some interesting uses.