summaryrefslogtreecommitdiff
path: root/share/man
diff options
context:
space:
mode:
authorMike Frantzen <frantzen@cvs.openbsd.org>2003-05-11 20:46:12 +0000
committerMike Frantzen <frantzen@cvs.openbsd.org>2003-05-11 20:46:12 +0000
commit0eb088e35d18427bb4461e374fa27f699cf0594e (patch)
tree72d13e9e81c0566b11f19939d232a7b115f92852 /share/man
parent916b8d52a41cbdb80f79ab7dd5b7f013043d9bec (diff)
document the dynamic min-ttl TCP scrub behavior
Diffstat (limited to 'share/man')
-rw-r--r--share/man/man5/pf.conf.510
1 files changed, 9 insertions, 1 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 721f8f6d1bf..870ddc00620 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.233 2003/05/10 23:27:07 dhartmei Exp $
+.\" $OpenBSD: pf.conf.5,v 1.234 2003/05/11 20:46:11 frantzen Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -453,6 +453,14 @@ modifier (see below) is recommended in combination with the
modifier to ensure unique IP identifiers.
.It Ar min-ttl <number>
Enforces a minimum ttl for matching ip packets.
+For statefully tracked TCP connections,
+.Ar scrub
+will automatically (without the
+.Ar min-ttl
+modifier) keep the maximum TTL of each side of the connection and apply
+it to all future packets.
+Inhibits an attacker from sending low TTL packets through the firewall that
+change state but expires before being received by the end host.
.It Ar max-mss <number>
Enforces a maximum mss for matching tcp packets.
.It Ar random-id