OpenBSD PF: Filtering traffic by Operating System

I was reading through the PF manual, and came across a section on filtering traffic with “Passive Operating System Fingerprinting”:

http://www.openbsd.org/faq/pf/filter.html

PF contains dozens of Operating System fingerprints. The full list of fingerprints can be printed with the pfctl utility:

$ pfctl -s osfp | tail -5
Windows XP RFC1323
Windows XP SP1
Windows XP SP3
Zaurus
Zaurus 3.10

or with one of the available UNIX pagers:

$ tail -5 /etc/pf.os
*:128:1:48:M536,N,N,S: @Windows:98::Windows 98
*:128:1:48:M*,N,N,S: @Windows:XP::Windows XP/2000
*:128:1:48:M*,N,N,S: @Windows:2000::Windows XP/2000

Using the fingerprints listed here, we can filter inbound connections by IP address, TCP/UDP ports, and Operating System:

pass in quick on $ext proto tcp from 192.168.1.0/24 to any port 22 os OpenBSD keep state

This example will allow OpenBSD systems with an IP address in the 192.168.1.0/24 network to ssh to any machine on our network. This has some interesting uses.