diff options
| author | Camiel Dobbelaar <camield@cvs.openbsd.org> | 2013-12-21 20:57:02 +0000 |
|---|---|---|
| committer | Camiel Dobbelaar <camield@cvs.openbsd.org> | 2013-12-21 20:57:02 +0000 |
| commit | 62d30e5ad0c99f3a87e418b9f85eacd24a170345 (patch) | |
| tree | da2d4e3778ad5abfc9fb9d49f4c737a1154d7746 /share | |
| parent | 5b749b0ae6b4c6ba066887f3b13fbb50605689b1 (diff) | |
Document that the "user" socket check is not reliable with wildcard
listeners. Update the example to reflect this.
Deprecate usage of user "unknown" too, same reason.
Noted by Maxim Khitrov on bugs
ok henning, jmc
Diffstat (limited to 'share')
| -rw-r--r-- | share/man/man5/pf.conf.5 | 40 |
1 files changed, 12 insertions, 28 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index a2a75b91176..2ec87dfb4ae 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.531 2013/11/27 15:16:29 jmc Exp $ +.\" $OpenBSD: pf.conf.5,v 1.532 2013/12/21 20:57:01 camield Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" Copyright (c) 2003 - 2013 Henning Brauer <henning@openbsd.org> @@ -28,7 +28,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 27 2013 $ +.Dd $Mdocdate: December 21 2013 $ .Dt PF.CONF 5 .Os .Sh NAME @@ -760,9 +760,14 @@ For outgoing connections initiated from the firewall, this is the user that opened the connection. For incoming connections to the firewall itself, this is the user that listens on the destination port. -For forwarded connections, where the firewall is not a connection endpoint, -the user and group are -.Em unknown . +.Pp +When listening sockets are bound to the wildcard address, +.Xr pf 4 +cannot determine if a connection is destined for the firewall itself. +To avoid false matches on just the destination port, combine a +.Ar user +rule with source or destination address +.Ar self . .Pp All packets, both outgoing and incoming, of one connection are associated with the same user and group. @@ -777,32 +782,11 @@ user ID (to drop privileges), the credentials will remain root. .Pp User and group IDs can be specified as either numbers or names. The syntax is similar to the one for ports. -The value -.Ar unknown -matches packets of forwarded connections. -.Ar unknown -can only be used with the operators -.Cm = -and -.Cm != . -Other constructs like -.Cm user \*(Ge unknown -are invalid. -Forwarded packets with unknown user and group ID match only rules -that explicitly compare -.Ar unknown -with the operators -.Cm = -or -.Cm != . -For instance -.Cm user \*(Ge 0 -does not match forwarded packets. The following example allows only selected users to open outgoing connections: .Bd -literal -offset indent -block out proto { tcp, udp } all -pass out proto { tcp, udp } all user { \*(Lt 1000, dhartmei } +block out proto tcp all +pass out proto tcp from self user { \*(Lt 1000, dhartmei } .Ed .El .Ss Translation |