Changeset View
Changeset View
Standalone View
Standalone View
share/man/man5/pf.conf.5
| Show All 22 Lines | |||||
| .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, | .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, | ||||
| .\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | .\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||||
| .\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | .\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | ||||
| .\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | .\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||||
| .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN | ||||
| .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | ||||
| .\" POSSIBILITY OF SUCH DAMAGE. | .\" POSSIBILITY OF SUCH DAMAGE. | ||||
| .\" | .\" | ||||
| .Dd September 10, 2021 | .Dd September 25, 2021 | ||||
| .Dt PF.CONF 5 | .Dt PF.CONF 5 | ||||
| .Os | .Os | ||||
| .Sh NAME | .Sh NAME | ||||
| .Nm pf.conf | .Nm pf.conf | ||||
| .Nd packet filter configuration file | .Nd packet filter configuration file | ||||
| .Sh DESCRIPTION | .Sh DESCRIPTION | ||||
| The | The | ||||
| .Xr pf 4 | .Xr pf 4 | ||||
| ▲ Show 20 Lines • Show All 494 Lines • ▼ Show 20 Lines | |||||
| .It Ar floating | .It Ar floating | ||||
| States can match packets on any interfaces (the default). | States can match packets on any interfaces (the default). | ||||
| .El | .El | ||||
| .Pp | .Pp | ||||
| For example: | For example: | ||||
| .Bd -literal -offset indent | .Bd -literal -offset indent | ||||
| set state-policy if-bound | set state-policy if-bound | ||||
| .Ed | .Ed | ||||
| .It Ar set syncookies never | always | adaptive | |||||
| When | |||||
| .Cm syncookies | |||||
| are active, pf will answer each incoming TCP SYN with a syncookie SYNACK, | |||||
| without allocating any resources. | |||||
| Upon reception of the client's ACK in response to the syncookie | |||||
| SYNACK, pf will evaluate the ruleset and create state if the ruleset | |||||
| permits it, complete the three way handshake with the target host and | |||||
| continue the connection with synproxy in place. | |||||
| This allows pf to be resilient against large synflood attacks which would | |||||
| run the state table against its limits otherwise. | |||||
| Due to the blind answers to every incoming SYN syncookies share the caveats of | |||||
bcr: Something sounds odd in this sentence, maybe a missing word or letter.
Is it
s/share/shared/… | |||||
Done Inline ActionsIt's perhaps a slightly awkward sentence, but it reads correct to me. I've simplified the 'each and every' which may help a bit. It correctly states that just like synproxy syncookies have the caveat that connections may seem to accept connections which get dropped later. kp: It's perhaps a slightly awkward sentence, but it reads correct to me. I've simplified the 'each… | |||||
| synproxy, namely seemingly accepting connections that will be dropped later on. | |||||
| .Pp | |||||
| .Bl -tag -width adaptive -compact | |||||
| .It Cm never | |||||
| pf will never send syncookie SYNACKs (the default). | |||||
| .It Cm always | |||||
| pf will always send syncookie SYNACKs. | |||||
| .It Cm adaptive | |||||
| pf will enable syncookie mode when a given percentage of the state table | |||||
| is used up by half-open TCP connections, as in, those that saw the initial | |||||
| SYN but didn't finish the three way handshake. | |||||
Done Inline ActionsCapitalize tcp here? bcr: Capitalize tcp here? | |||||
| The thresholds for entering and leaving syncookie mode can be specified using | |||||
| .Bd -literal -offset indent | |||||
| set syncookies adaptive (start 25%, end 12%) | |||||
| .Ed | |||||
| .El | |||||
| .It Ar set state-defaults | .It Ar set state-defaults | ||||
| The | The | ||||
| .Ar state-defaults | .Ar state-defaults | ||||
| option sets the state options for states created from rules | option sets the state options for states created from rules | ||||
| without an explicit | without an explicit | ||||
| .Ar keep state . | .Ar keep state . | ||||
| For example: | For example: | ||||
| .Bd -literal -offset indent | .Bd -literal -offset indent | ||||
| ▲ Show 20 Lines • Show All 2,626 Lines • Show Last 20 Lines | |||||
Something sounds odd in this sentence, maybe a missing word or letter.
Is it
s/share/shared/ maybe or
s/answers to each/answers that each/
maybe?