summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorJason McIntyre <jmc@cvs.openbsd.org>2003-03-11 09:24:59 +0000
committerJason McIntyre <jmc@cvs.openbsd.org>2003-03-11 09:24:59 +0000
commit5481f12a74494cf75b24a40d11aace8b9f2f77ad (patch)
tree3f164b8c63a25c1666983a2777f2a3081572e8af /usr.sbin
parentf5196a0a8a41305db41555310318c33c31e354f4 (diff)
removed .Ic's which were giving postscript trouble;
ok deraadt@
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/authpf/authpf.8124
1 files changed, 51 insertions, 73 deletions
diff --git a/usr.sbin/authpf/authpf.8 b/usr.sbin/authpf/authpf.8
index 7d7d268f9b2..4e6a1d6821a 100644
--- a/usr.sbin/authpf/authpf.8
+++ b/usr.sbin/authpf/authpf.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: authpf.8,v 1.23 2003/03/10 15:37:29 jmc Exp $
+.\" $OpenBSD: authpf.8,v 1.24 2003/03/11 09:24:57 jmc Exp $
.\"
.\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>. All rights reserved.
.\"
@@ -93,10 +93,10 @@ in order to cause evaluation of any
.Nm
rules:
.Bd -literal
-.Ic nat-anchor authpf
-.Ic rdr-anchor authpf
-.Ic binat-anchor authpf
-.Ic anchor authpf
+nat-anchor authpf
+rdr-anchor authpf
+binat-anchor authpf
+anchor authpf
.Ed
.Pp
.Sh FILTER AND TRANSLATION RULES
@@ -311,21 +311,21 @@ To make that happen,
.Xr login.conf 5
should have entries that look something like this:
.Bd -literal
-.Ic shell-default:shell=/bin/csh
+shell-default:shell=/bin/csh
.Pp
-.Ic default:\e
-.Ic \ \ \ \ ...
-.Ic \ \ \ \ :shell=/usr/sbin/authpf
+default:\e
+ ...
+ :shell=/usr/sbin/authpf
.Pp
-.Ic daemon:\e
-.Ic \ \ \ \ ...
-.Ic \ \ \ \ :shell=/bin/csh:\e
-.Ic \ \ \ \ :tc=default:
+daemon:\e
+ ...
+ :shell=/bin/csh:\e
+ :tc=default:
.Pp
-.Ic staff:\e
-.Ic \ \ \ \ ...
-.Ic \ \ \ \ :shell=/bin/csh:\e
-.Ic \ \ \ \ :tc=default:
+staff:\e
+ ...
+ :shell=/bin/csh:\e
+ :tc=default:
.Ed
.Pp
Using a default password file, all users will get
@@ -339,8 +339,8 @@ must be properly configured to detect and defeat network attacks.
To that end, the following options should be added to
.Xr sshd_config 5 :
.Bd -literal
-.Ic ClientAliveInterval 15
-.Ic ClientAliveCountMax 3
+ClientAliveInterval 15
+ClientAliveCountMax 3
.Ed
.Pp
This ensures that unresponsive or spoofed sessions are terminated within a
@@ -354,25 +354,17 @@ of
.Pa /etc/motd
or something as simple as the following:
.Bd -literal -offset indent
-.Xo Ic This means you will be held accountable\
-.Ic by the powers that be
-.Xc
-.Xo Ic for traffic originating from your machine,\
-.Ic so please play nice.
-.Xc
+This means you will be held accountable by the powers that be
+for traffic originating from your machine, so please play nice.
.Ed
.Pp
To tell the user where to go when the system is broken,
.Pa /etc/authpf/authpf.problem
could contain something like this:
.Bd -literal -offset indent
-.Xo Ic Sorry, there appears to be some system\
-.Ic problem. To report this
-.Xc
-.Xo Ic problem so we can fix it, please\
-.Ic phone 1-900-314-1597 or send
-.Xc
-.Ic an email to remove@bulkmailerz.net.
+Sorry, there appears to be some system problem. To report this
+problem so we can fix it, please phone 1-900-314-1597 or send
+an email to remove@bulkmailerz.net.
.Ed
.Pp
\fBPacket Filter Rules\fP - In areas where this gateway is used to protect a
@@ -394,21 +386,17 @@ Example
.Bd -literal
# by default we allow internal clients to talk to us using
# ssh and use us as a dns server.
-.Ic internal_if=\&"fxp1\&"
-.Ic gateway_addr=\&"10.0.1.1\&"
-.Ic nat-anchor authpf
-.Ic rdr-anchor authpf
-.Ic binat-anchor authpf
-.Ic block in on $internal_if from any to any
-.Xo Ic pass in quick on $internal_if proto tcp\
-.Ic from any to $gateway_addr \e
-.Xc
-.Ic \ \ port = ssh
-.Xo Ic pass in quick on $internal_if proto udp\
-.Ic from any to $gateway_addr \e
-.Xc
-.Ic \ \ port = domain
-.Ic anchor authpf
+internal_if=\&"fxp1\&"
+gateway_addr=\&"10.0.1.1\&"
+nat-anchor authpf
+rdr-anchor authpf
+binat-anchor authpf
+block in on $internal_if from any to any
+pass in quick on $internal_if proto tcp from any to $gateway_addr \e
+ port = ssh
+pass in quick on $internal_if proto udp from any to $gateway_addr \e
+ port = domain
+anchor authpf
.Ed
.Pp
Example
@@ -416,14 +404,12 @@ Example
.Bd -literal
# no real restrictions here, basically turn the network jack off or on.
.Pp
-.Ic external_if = \&"xl0\&"
-.Ic internal_if = \&"fxp0\&"
+external_if = \&"xl0\&"
+internal_if = \&"fxp0\&"
.Pp
-.Xo Ic pass in log quick on $internal_if proto\
-.Ic tcp from $user_ip to any \e
-.Xc
-.Ic \ \ keep state
-.Ic pass in quick on $internal_if from $user_ip to any
+pass in log quick on $internal_if proto tcp from $user_ip to any \e
+ keep state
+pass in quick on $internal_if from $user_ip to any
.Ed
.Pp
Another example
@@ -431,30 +417,22 @@ Another example
for an insecure network (such as a public wireless network) where
we might need to be a bit more restrictive.
.Bd -literal
-.Ic internal_if=\&"fxp1\&"
-.Ic ipsec_gw=\&"10.2.3.4\&"
+internal_if=\&"fxp1\&"
+ipsec_gw=\&"10.2.3.4\&"
.Pp
# rdr ftp for proxying by ftp-proxy(8)
-.Xo Ic rdr on $internal_if proto tcp from\
-.Ic $user_ip to any port 21 \e
-.Xc
-.Ic \ \ -> 127.0.0.1 port 8081
+rdr on $internal_if proto tcp from $user_ip to any port 21 \e
+ -> 127.0.0.1 port 8081
.Pp
# allow out ftp, ssh, www and https only, and allow user to negotiate
# ipsec with the ipsec server.
-.Xo Ic pass in log quick on $internal_if\
-.Ic proto tcp from $user_ip to any \e
-.Xc
-.Ic \ \ port { 21, 22, 80, 443 } flags S/SA
-.Xo Ic pass in quick on $internal_if proto\
-.Ic tcp from $user_ip to any \e
-.Xc
-.Ic \ \ port { 21, 22, 80, 443 }
-.Xo Ic pass in quick proto udp from $user_ip\
-.Ic to $ipsec_gw port = isakmp \e
-.Xc
-.Ic \ \ keep state
-.Ic pass in quick proto esp from $user_ip to $ipsec_gw
+pass in log quick on $internal_if proto tcp from $user_ip to any \e
+ port { 21, 22, 80, 443 } flags S/SA
+pass in quick on $internal_if proto tcp from $user_ip to any \e
+ port { 21, 22, 80, 443 }
+pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp \e
+ keep state
+pass in quick proto esp from $user_ip to $ipsec_gw
.Ed
.Sh FILES
.Bl -tag -width "/etc/authpf/authpf.conf" -compact