summaryrefslogtreecommitdiff
path: root/share/man/man5/pf.conf.5
diff options
context:
space:
mode:
authorJason McIntyre <jmc@cvs.openbsd.org>2018-02-08 17:51:44 +0000
committerJason McIntyre <jmc@cvs.openbsd.org>2018-02-08 17:51:44 +0000
commitc2246751b26ecd6b9f6d97030f2709c35ff2c917 (patch)
tree4f0f0f3365db4d7eed1c28f445406dd182ebc931 /share/man/man5/pf.conf.5
parentbe4f47925b63ba42ac679e8a18cec9c3b1e46a3f (diff)
tweak previous; ok henning
Diffstat (limited to 'share/man/man5/pf.conf.5')
-rw-r--r--share/man/man5/pf.conf.522
1 files changed, 11 insertions, 11 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 77994dc6ee3..81546df5323 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.572 2018/02/08 09:14:19 henning Exp $
+.\" $OpenBSD: pf.conf.5,v 1.573 2018/02/08 17:51:43 jmc Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" Copyright (c) 2003 - 2013 Henning Brauer <henning@openbsd.org>
@@ -1358,17 +1358,17 @@ States can match packets on any interfaces (the default).
.It Ic set Cm syncookies never | always | adaptive
When
.Cm syncookies
-are active, pf will answer each and every incoming tcp SYN with a
-syncookie SYNACK, without allocating any ressources.
+are active, pf will answer each and every incoming TCP SYN with a
+syncookie SYNACK, without allocating any resources.
Upon reception of the client's ACK in response to the syncookie
SYNACK, pf will evaluate the ruleset and create state if the ruleset
-permits it, complete the three way handshake with the target host and
-continue the connection with synproxy in place.
+permits it, complete the three way handshake with the target host,
+and continue the connection with synproxy in place.
This allows pf to be resilient against large synflood attacks which would
-run the state table against its limits otherwise.
-Due to the blind answers to each and every SYN syncookies share the
-caveats of synproxy, namely seemingly accepting connections that will be
-dropped later on.
+otherwise run the state table against its limits.
+Due to the blind answers to each and every SYN,
+syncookies share the caveats of synproxy:
+seemingly accepting connections that will be dropped later on.
.Pp
.Bl -tag -width adaptive -compact
.It Cm never
@@ -1377,9 +1377,9 @@ pf will never send syncookie SYNACKs.
pf will always send syncookie SYNACKs.
.It Cm adaptive
pf will enable syncookie mode when a given percentage of the state table
-is used up by half-open tcp connections, as in, those that saw the initial
+is used up by half-open TCP connections, such as those that saw the initial
SYN but didn't finish the three way handshake.
-The thresholds for entering and leaving syncookie mode can be specified using
+The thresholds for entering and leaving syncookie mode can be specified using:
.Bd -literal -offset indent
set syncookies adaptive (start 25%, end 12%)
.Ed