diff options
| author | David Krause <david@cvs.openbsd.org> | 2003-03-22 00:10:18 +0000 |
|---|---|---|
| committer | David Krause <david@cvs.openbsd.org> | 2003-03-22 00:10:18 +0000 |
| commit | 4f310d9c8577afb6bed6e1d20b1aa98c1fda97c8 (patch) | |
| tree | fe6060d4f68c48f780caf1d3d5dc9393241c3853 | |
| parent | 80159d753227ab38b9023c9697a6b54a395636b4 (diff) | |
Cleanup for release:
remove some unneeded escaping of spaces "\ "
indent by 6 spaces in a few places to match the rest of the file
fix a few lines that were improperly wrapped or not wrapped to the next line
update sample rule expansion to match current state of pfctl output
fix spacing in a few places
fix a small typo found by jmc@
updated a few example rules so that they parse with current pfctl
ok henning@ jmc@
| -rw-r--r-- | share/man/man5/pf.conf.5 | 58 |
1 files changed, 29 insertions, 29 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index c57bf6f5b1b..91622bcd8f5 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.218 2003/03/20 01:27:17 david Exp $ +.\" $OpenBSD: pf.conf.5,v 1.219 2003/03/22 00:10:17 david Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -100,7 +100,7 @@ For example, ext_if = \&"kue0\&" all_ifs = \&"{\&" $ext_if lo0 \&"}\&" pass out on $ext_if from any to any keep state -pass in \ on $ext_if proto tcp from any to any port 25 keep state +pass in on $ext_if proto tcp from any to any port 25 keep state .Ed .Pp .Sh TABLES @@ -727,12 +727,12 @@ below). queue std bandwidth 10% cbq(default) queue http bandwidth 60% priority 2 cbq(borrow red) \e { employees, developers } -queue \ developers bandwidth 75% cbq(borrow) -queue \ employees bandwidth 15% +queue developers bandwidth 75% cbq(borrow) +queue employees bandwidth 15% queue mail bandwidth 10% priority 0 cbq(borrow ecn) queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk } -queue \ ssh_interactive priority 7 -queue \ ssh_bulk priority 0 +queue ssh_interactive priority 7 +queue ssh_bulk priority 0 block return out on dc0 inet all queue std pass out on dc0 inet proto tcp from $developerhosts to any port 80 \e @@ -1085,7 +1085,7 @@ pass in all pass in from any to any pass in proto tcp from any port <= 1024 to any pass in proto tcp from any to any port 25 -pass in proto tcp from 10.0.0.0/8 port >1024 \e +pass in proto tcp from 10.0.0.0/8 port > 1024 \e to ! 10.1.2.3 port != ssh .Ed .It Ar all @@ -1143,8 +1143,8 @@ The following example allows only selected users to open outgoing connections: .Bd -literal -offset indent block out proto { tcp, udp } all -pass \ out proto { tcp, udp } all \e - user { < 1000, dhartmei } keep state +pass out proto { tcp, udp } all \e + user { < 1000, dhartmei } keep state .Ed .It Ar flags <a>/<b> | /<b> This rule only applies to TCP packets that have the flags @@ -1218,16 +1218,15 @@ For example: .Bd -literal -offset indent ips = \&"{ 1.2.3.4, 1.2.3.5 }\&" pass in proto tcp from any to $ips \e - port >1023 -label \&"$dstaddr:$dstport\&" + port > 1023 label \&"$dstaddr:$dstport\&" .Ed .Pp expands to .Bd -literal -offset indent -pass in proto tcp from any to 1.2.3.4 \e - port >1023 label \&"1.2.3.4:>1023\&" -pass in proto tcp from any to 1.2.3.5 \e - port >1023 label \&"1.2.3.5:>1023\&" +pass in inet proto tcp from any to 1.2.3.4 \e + port > 1023 label \&"1.2.3.4:>1023\&" +pass in inet proto tcp from any to 1.2.3.5 \e + port > 1023 label \&"1.2.3.5:>1023\&" .Ed .Pp The macro expansion for the @@ -1384,7 +1383,7 @@ For instance: .Bd -literal -offset indent block all pass out proto tcp from any to any flags S/SA keep state -pass in proto tcp from any to any port 25 flags S/SA keep state +pass in proto tcp from any to any port 25 flags S/SA keep state .Ed .Pp This ruleset blocks everything by default. @@ -1432,7 +1431,7 @@ allows echo requests (such as those created by out, creates state, and matches incoming echo replies correctly to states. .Pp Note: -.Ar nat, binat No and Ar rdr +.Ar nat , binat No and Ar rdr rules implicitly create state for connections. .Sh STATE MODULATION Much of the security derived from TCP is attributable to how well the @@ -1454,8 +1453,9 @@ only applicable to TCP connections. .Pp For instance: .Bd -literal -offset indent -block all pass out proto tcp from any to any modulate state -pass in proto tcp from any to any port 25 flags S/SA modulate state +block all +pass out proto tcp from any to any modulate state +pass in proto tcp from any to any port 25 flags S/SA modulate state .Ed .Pp There are two caveats associated with state modulation: @@ -1528,8 +1528,8 @@ antispoof for lo0 .Pp expands to .Bd -literal -offset indent -block in on ! lo0 inet from 127.0.0.1/8 to any -block in on ! lo0 inet6 from ::1 to any +block drop in on ! lo0 inet from 127.0.0.1/8 to any +block drop in on ! lo0 inet6 from ::1 to any .Ed .Pp For non-loopback interfaces, there are additional rules to block incoming @@ -1543,8 +1543,8 @@ antispoof for wi0 inet .Pp expands to .Bd -literal -offset indent -block in on ! wi0 inet from 10.0.0.1/24 to any -block in inet from 10.0.0.1 to any +block drop in on ! wi0 inet from 10.0.0.0/24 to any +block drop in inet from 10.0.0.1 to any .Ed .Pp Caveat: Rules created by the @@ -1708,7 +1708,7 @@ all rulesets in the named "spam", and finally passes all outgoing connections and incoming connections to port 25. .Bd -literal -offset indent -# echo \&"block in quick from 1.2.3.4 to any\&" \&| +# echo \&"block in quick from 1.2.3.4 to any\&" \&| \e pfctl -a spam:manual -f - .Ed .Pp @@ -1740,7 +1740,7 @@ spam are only evaluated for packets with destination port 25. Hence, .Bd -literal -offset indent -# echo \&"block in quick from 1.2.3.4 to any" \&| +# echo \&"block in quick from 1.2.3.4 to any" \&| \e pfctl -a spam:manual -f - .Ed .Pp @@ -1783,9 +1783,9 @@ for one specific server, as well as those generated by the sysadmins are not proxied; all other connections are. .Bd -literal # NO RDR -no rdr on fxp0 from any to $server port 80 -no rdr on fxp0 from $sysadmins to any port 80 -rdr on fxp0 from any to any port 80 -> 127.0.0.1 port 80 +no rdr on fxp0 proto { tcp, udp } from any to $server port 80 +no rdr on fxp0 proto { tcp, udp } from $sysadmins to any port 80 +rdr on fxp0 proto { tcp, udp } from any to any port 80 -> 127.0.0.1 port 80 .Ed .Pp This longer example uses both a NAT and a redirection. @@ -1965,7 +1965,7 @@ altq-rule = altq on interface-name queueopts-list queue-rule = queue string queueopts-list queue-list queueopts-list = queueopts-list queueopts | queueopts -queueopts = [ bandwidth number ( b | Kb | Mb | Gb | %) ] | +queueopts = [ bandwidth number ( b | Kb | Mb | Gb | %) ] | [ qlimit number ] | [ tbrsize number ] | [ priority number ] | [ schedulers ] | [ qlimit number ] |