diff options
| author | Mike Frantzen <frantzen@cvs.openbsd.org> | 2003-05-11 20:46:12 +0000 |
|---|---|---|
| committer | Mike Frantzen <frantzen@cvs.openbsd.org> | 2003-05-11 20:46:12 +0000 |
| commit | 0eb088e35d18427bb4461e374fa27f699cf0594e (patch) | |
| tree | 72d13e9e81c0566b11f19939d232a7b115f92852 /share | |
| parent | 916b8d52a41cbdb80f79ab7dd5b7f013043d9bec (diff) | |
document the dynamic min-ttl TCP scrub behavior
Diffstat (limited to 'share')
| -rw-r--r-- | share/man/man5/pf.conf.5 | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 721f8f6d1bf..870ddc00620 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.233 2003/05/10 23:27:07 dhartmei Exp $ +.\" $OpenBSD: pf.conf.5,v 1.234 2003/05/11 20:46:11 frantzen Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -453,6 +453,14 @@ modifier (see below) is recommended in combination with the modifier to ensure unique IP identifiers. .It Ar min-ttl <number> Enforces a minimum ttl for matching ip packets. +For statefully tracked TCP connections, +.Ar scrub +will automatically (without the +.Ar min-ttl +modifier) keep the maximum TTL of each side of the connection and apply +it to all future packets. +Inhibits an attacker from sending low TTL packets through the firewall that +change state but expires before being received by the end host. .It Ar max-mss <number> Enforces a maximum mss for matching tcp packets. .It Ar random-id |