diff options
author | Jason McIntyre <jmc@cvs.openbsd.org> | 2018-02-08 17:51:44 +0000 |
---|---|---|
committer | Jason McIntyre <jmc@cvs.openbsd.org> | 2018-02-08 17:51:44 +0000 |
commit | c2246751b26ecd6b9f6d97030f2709c35ff2c917 (patch) | |
tree | 4f0f0f3365db4d7eed1c28f445406dd182ebc931 /share/man/man5/pf.conf.5 | |
parent | be4f47925b63ba42ac679e8a18cec9c3b1e46a3f (diff) |
tweak previous; ok henning
Diffstat (limited to 'share/man/man5/pf.conf.5')
-rw-r--r-- | share/man/man5/pf.conf.5 | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 77994dc6ee3..81546df5323 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.572 2018/02/08 09:14:19 henning Exp $ +.\" $OpenBSD: pf.conf.5,v 1.573 2018/02/08 17:51:43 jmc Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" Copyright (c) 2003 - 2013 Henning Brauer <henning@openbsd.org> @@ -1358,17 +1358,17 @@ States can match packets on any interfaces (the default). .It Ic set Cm syncookies never | always | adaptive When .Cm syncookies -are active, pf will answer each and every incoming tcp SYN with a -syncookie SYNACK, without allocating any ressources. +are active, pf will answer each and every incoming TCP SYN with a +syncookie SYNACK, without allocating any resources. Upon reception of the client's ACK in response to the syncookie SYNACK, pf will evaluate the ruleset and create state if the ruleset -permits it, complete the three way handshake with the target host and -continue the connection with synproxy in place. +permits it, complete the three way handshake with the target host, +and continue the connection with synproxy in place. This allows pf to be resilient against large synflood attacks which would -run the state table against its limits otherwise. -Due to the blind answers to each and every SYN syncookies share the -caveats of synproxy, namely seemingly accepting connections that will be -dropped later on. +otherwise run the state table against its limits. +Due to the blind answers to each and every SYN, +syncookies share the caveats of synproxy: +seemingly accepting connections that will be dropped later on. .Pp .Bl -tag -width adaptive -compact .It Cm never @@ -1377,9 +1377,9 @@ pf will never send syncookie SYNACKs. pf will always send syncookie SYNACKs. .It Cm adaptive pf will enable syncookie mode when a given percentage of the state table -is used up by half-open tcp connections, as in, those that saw the initial +is used up by half-open TCP connections, such as those that saw the initial SYN but didn't finish the three way handshake. -The thresholds for entering and leaving syncookie mode can be specified using +The thresholds for entering and leaving syncookie mode can be specified using: .Bd -literal -offset indent set syncookies adaptive (start 25%, end 12%) .Ed |