summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>2003-03-10 09:33:52 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>2003-03-10 09:33:52 +0000
commit7203fdf7aec8f56ee8a16ae45573b6abcceb09f6 (patch)
tree852b059c6a155471ede0ead943f5a05994550f28
parente26366db5fca1e363f9cf9050a6dc031fd8ef0f1 (diff)
few minor tweaks
-rw-r--r--share/man/man5/pf.conf.518
1 files changed, 4 insertions, 14 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index c0eb1fec020..d38ae64cd2c 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.211 2003/03/10 09:27:47 jmc Exp $
+.\" $OpenBSD: pf.conf.5,v 1.212 2003/03/10 09:33:51 deraadt Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -96,7 +96,6 @@ Macro names may not be reserved words (for example
Macros are not expanded inside quotes.
.Pp
For example,
-.Pp
.Bd -literal -offset indent
ext_if = \&"kue0\&"
all_ifs = \&"{\&" $ext_if lo0 \&"}\&"
@@ -141,7 +140,7 @@ or
option of
.Xr pfctl 8 ,
before or after the ruleset has been loaded.
-.It Ar pf.conf
+.It Pa pf.conf
Table definitions can be placed directly in this file, and loaded at the
same time as other rules are loaded, atomically.
Table definitions inside
@@ -154,7 +153,7 @@ to initialize it is not altered when
.Nm pf.conf
is loaded.
A table initialized with the empty list,
-.Ar { } ,
+.Li { } ,
will be cleared on load.
.El
.Pp
@@ -288,7 +287,6 @@ Other protocols are handled similarly to UDP:
.El
.Pp
For example:
-.br
.Bd -literal -offset indent
set timeout tcp.established 3600
set timeout { tcp.opening 30, tcp.closing 900 }
@@ -328,6 +326,7 @@ sets the maximum number of entries in the memory pool used by state table
entries (generated by
.Ar keep state
rules) to 20000.
+Using
.Bd -literal -offset indent
set limit frags 20000
.Ed
@@ -366,7 +365,6 @@ network) and slightly increased processor utilization.
.El
.Pp
For example:
-.Pp
.Bd -literal -offset indent
set optimization aggressive
.Ed
@@ -388,7 +386,6 @@ and all other packets are silently dropped.
.El
.Pp
For example:
-.Pp
.Bd -literal -offset indent
set block-policy return
.Ed
@@ -687,7 +684,6 @@ and
The queues may then be referenced by filtering rules (see
.Sx PACKET FILTERING
below).
-.Pp
.Bd -literal
queue std bandwidth 10% cbq(default)
queue http bandwidth 60% priority 2 cbq(borrow red) \e
@@ -1171,7 +1167,6 @@ The rule number.
.El
.Pp
For example:
-.Pp
.Bd -literal -offset indent
ips = \&"{ 1.2.3.4, 1.2.3.5 }\&"
pass in proto tcp from any to $ips \e
@@ -1202,7 +1197,6 @@ See
for setup details.
.Pp
For example:
-.Pp
.Bd -literal -offset indent
pass in proto tcp to port 25 queue mail
pass in proto tcp to port 22 queue(ssh_bulk, ssh_prio)
@@ -1546,7 +1540,6 @@ Filter rules without the
.Ar fragment
option still apply to fragments, if they only specify IP header fields.
For instance, the rule
-.Pp
.Bd -literal -offset indent
pass in proto tcp from any to any port 80
.Ed
@@ -1652,7 +1645,6 @@ is loaded, and later such named rulesets can be manipulated through
.Xr pfctl 8
without reloading the main ruleset.
For example,
-.Pp
.Bd -literal -offset indent
ext_if = \&"kue0\&"
block on $ext_if all
@@ -1667,7 +1659,6 @@ all rulesets in the
.Ar anchor
named "spam", and finally passes all outgoing connections and
incoming connections to port 25.
-.Pp
.Bd -literal -offset indent
# echo \&"block in quick from 1.2.3.4 to any\&" \&|
pfctl -a spam:manual -f -
@@ -1788,7 +1779,6 @@ rdr on kue0 inet proto udp from any to (kue0) port 8080 -> 10.1.2.151 \e
rdr on fxp0 proto tcp from any to any port 21 -> 127.0.0.1 port 8081
.Ed
.Sh FILTER EXAMPLES
-.Pp
.Bd -literal
# The external interface is kue0
# (157.161.48.183, the only routable address)