RE: osf module stopped working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have discovered a interesting thing: the iptables rule works but only for some websites. I can access www.google.es but not es.yahoo.com from Windows. 
From Linux I can acces both.

Any ideas?
I have a firewall where I was blocking Internet access only to Windows clients. I have the osf module, the last version of the fingerprint file from the openbsd web, and this rule: 

iptables -I FORWARD -j DROP -p tcp -m osf --genre Windows --smart
This worked for some time but yesterday I checked it and now you can surf the web from Windows and Linux. I have tried to add a rule to drop all connections and insert a new one before that which accepts connections only from Linux, but it doesn't work either. It's like it is unable to identify the operating system, it doesn't seem to be about dropping connections because I can drop every connection by inserting a drop rule without the "-m osf --genre Windows --smart" 

If I go to
http://lcamtuf.coredump.cx/p0f-help/
it identifies my OS correctly, both if I visit it from Windows and Linux. How can do the same test for the osf module that is installed in my firewall? 

This is the output of iptables -L:


Chain ACCEPT_ALL (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state NEW
ACCEPT     all  --  anywhere             anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request 

Chain BADTCP (2 references)
target     prot opt source               destination
PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN PSCAN tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST PSCAN tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN NEWNOTSYN tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW 

Chain BLUEINPUT (1 references)
target     prot opt source               destination

Chain CUSTOMFORWARD (1 references)
target     prot opt source               destination

Chain CUSTOMINPUT (1 references)
target     prot opt source               destination

Chain CUSTOMOUTPUT (1 references)
target     prot opt source               destination

Chain DHCPBLUEINPUT (1 references)
target     prot opt source               destination

Chain DMZHOLES (1 references)
target     prot opt source               destination

Chain INPUT (policy DROP)
target     prot opt source               destination
ipac~o     all  --  anywhere             anywhere
BADTCP     all  --  anywhere             anywhere
tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 10/sec burst 5 
CUSTOMINPUT  all  --  anywhere             anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-request 
ACCEPT     all  --  anywhere             anywhere            state NEW
DROP       all  --  127.0.0.0/8          anywhere            state NEW
DROP       all  --  anywhere             127.0.0.0/8         state NEW
ACCEPT    !icmp --  anywhere             anywhere            state NEW
ACCEPT     all  --  anywhere             anywhere
BLUEINPUT !icmp --  anywhere             anywhere            state NEW
ORANGEINPUT !icmp --  anywhere             anywhere            state NEW
OUTGOINGFW  all  --  anywhere             anywhere            state NEW
DHCPBLUEINPUT  all  --  anywhere             anywhere
OPENVPN    all  --  anywhere             anywhere            state NEW
IPSECRED   all  --  anywhere             anywhere
IPSECBLUE  all  --  anywhere             anywhere
REDINPUT   all  --  anywhere             anywhere
XTACCESS   all  --  anywhere             anywhere            state NEW
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `INPUT ' 

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP tcp -- anywhere anywhere OS fingerprint match Windows 
ipac~fi    all  --  anywhere             anywhere
ipac~fo    all  --  anywhere             anywhere
BADTCP     all  --  anywhere             anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
CUSTOMFORWARD  all  --  anywhere             anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            state NEW
DROP       all  --  127.0.0.0/8          anywhere            state NEW
DROP       all  --  anywhere             127.0.0.0/8         state NEW
ACCEPT_ALL  all  --  anywhere             anywhere
OUTGOINGFW  all  --  anywhere             anywhere            state NEW
OPENVPN    all  --  anywhere             anywhere            state NEW
DMZHOLES   all  --  anywhere             anywhere            state NEW
PORTFWACCESS  all  --  anywhere             anywhere            state NEW
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `FORWARD ' 

Chain IPSECBLUE (1 references)
target     prot opt source               destination

Chain IPSECRED (1 references)
target     prot opt source               destination

Chain LOG_DROP (0 references)
target     prot opt source               destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning 
DROP       all  --  anywhere             anywhere

Chain LOG_REJECT (0 references)
target     prot opt source               destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning REJECT all -- anywhere anywhere reject-with icmp-port-unreachable 

Chain NEWNOTSYN (1 references)
target     prot opt source               destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `NEW not SYN? ' 
DROP       all  --  anywhere             anywhere

Chain OPENVPN (2 references)
target     prot opt source               destination

Chain ORANGEINPUT (1 references)
target     prot opt source               destination

Chain OUTGOINGFW (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ntp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ntp

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ipac~i     all  --  anywhere             anywhere
CUSTOMOUTPUT  all  --  anywhere             anywhere

Chain PORTFWACCESS (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             192.168.0.71        tcp dpt:http
ACCEPT     tcp  --  anywhere             192.168.0.70        tcp dpt:smtp
ACCEPT     tcp  --  anywhere             192.168.0.70        tcp dpt:imap

Chain PSCAN (5 references)
target     prot opt source               destination
LOG tcp -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `TCP Scan? ' LOG udp -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `UDP Scan? ' LOG icmp -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `ICMP Scan? ' LOG all -f anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `FRAG Scan? ' 
DROP       all  --  anywhere             anywhere

Chain REDINPUT (1 references)
target     prot opt source               destination

Chain SIPROXD (0 references)
target     prot opt source               destination

Chain XTACCESS (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             192.168.1.175       tcp dpt:ident

Chain ipac~fi (1 references)
target     prot opt source               destination
          all  --  anywhere             anywhere
          all  --  anywhere             anywhere

Chain ipac~fo (1 references)
target     prot opt source               destination
          all  --  anywhere             anywhere
          all  --  anywhere             anywhere

Chain ipac~i (1 references)
target     prot opt source               destination
          all  --  anywhere             anywhere
          all  --  anywhere             anywhere

Chain ipac~o (1 references)
target     prot opt source               destination
          all  --  anywhere             anywhere
          all  --  anywhere             anywhere
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux