I was reading through the PF manual, and came across a section on filtering traffic with “Passive Operating System Fingerprinting”:
http://www.openbsd.org/faq/pf/filter.html
PF contains dozens of Operating System fingerprints. The full list of fingerprints can be printed with the pfctl utility:
$ pfctl -s osfp | tail -5
Windows XP RFC1323
Windows XP SP1
Windows XP SP3
Zaurus
Zaurus 3.10
or with one of the available UNIX pagers:
$ tail -5 /etc/pf.os
*:128:1:48:M536,N,N,S: @Windows:98::Windows 98
*:128:1:48:M*,N,N,S: @Windows:XP::Windows XP/2000
*:128:1:48:M*,N,N,S: @Windows:2000::Windows XP/2000
Using the fingerprints listed here, we can filter inbound connections by IP address, TCP/UDP ports, and Operating System:
pass in quick on $ext proto tcp from 192.168.1.0/24 to any port 22 os
OpenBSD keep state
This example will allow OpenBSD systems with an IP address in the 192.168.1.0/24 network to ssh to any machine on our network. This has some interesting uses.