diff options
| -rw-r--r-- | sbin/pfctl/pfctl.8 | 4 | ||||
| -rw-r--r-- | share/man/man4/pf.4 | 12 | ||||
| -rw-r--r-- | share/man/man5/pf.conf.5 | 39 | ||||
| -rw-r--r-- | share/man/man5/pf.os.5 | 44 | ||||
| -rw-r--r-- | usr.sbin/tcpdump/tcpdump.8 | 9 |
5 files changed, 62 insertions, 46 deletions
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index 215e7e17f5c..6376c1b61bf 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfctl.8,v 1.99 2003/08/22 21:50:34 david Exp $ +.\" $OpenBSD: pfctl.8,v 1.100 2003/08/28 09:41:22 jmc Exp $ .\" .\" Copyright (c) 2001 Kjell Wooding. All rights reserved. .\" @@ -471,7 +471,7 @@ Packet filter rules file. .Sh SEE ALSO .Xr pf 4 , .Xr pf.conf 5 , -.Xr pf.os 5 +.Xr pf.os 5 , .Xr sysctl.conf 5 , .Xr ftp-proxy 8 , .Xr rc 8 , diff --git a/share/man/man4/pf.4 b/share/man/man4/pf.4 index 5a6d106472a..f01dcb38aa6 100644 --- a/share/man/man4/pf.4 +++ b/share/man/man4/pf.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.4,v 1.36 2003/08/22 21:50:34 david Exp $ +.\" $OpenBSD: pf.4,v 1.37 2003/08/28 09:41:22 jmc Exp $ .\" .\" Copyright (C) 2001, Kjell Wooding. All rights reserved. .\" @@ -579,10 +579,10 @@ to the name of the version (NT, 95, 98), and .Va fp_os.fp_subtype_nm to the name of the subtype or patchlevel. The members -.Va fp_mss -.Va fp_wsize -.Va fp_psize -.Va fp_ttl +.Va fp_mss , +.Va fp_wsize , +.Va fp_psize , +.Va fp_ttl , and .Va fp_wscale are set to the TCP MSS, the TCP window size, the IP length and the IP TTL of @@ -618,7 +618,7 @@ struct pf_osfp_ioctl { .Pp Get the passive OS fingerprint number .Va fp_getnum -from the kernels fingerprint list. +from the kernel's fingerprint list. The rest of the structure members will come back filled. Get the whole list by repeatedly incrementing the .Va fp_getnum diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 85813efe449..dfec303547a 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.269 2003/08/26 18:34:25 dhartmei Exp $ +.\" $OpenBSD: pf.conf.5,v 1.270 2003/08/28 09:41:22 jmc Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -440,16 +440,16 @@ Load fingerprints of known operating systems from the given filename. By default fingerprints of known operating systems are automatically loaded from .Xr pf.os 5 -in /etc but can be overridden via this option. +in +.Pa /etc +but can be overridden via this option. Setting this option may leave a small period of time where the fingerprints referenced by the currently active ruleset are inconsistent until the new ruleset finishes loading. .Pp For example: -.Bd -literal -offset indent -set fingerprints "/etc/pf.os.devel" -.Ed .Pp +.Dl set fingerprints \&"/etc/pf.os.devel\&" .El .Sh TRAFFIC NORMALIZATION Traffic normalization is used to sanitize packet content in such @@ -763,7 +763,6 @@ The can get additional parameters with .Ar <scheduler> Ns Li (\& Ar <parameters> No ) . Parameters are as follows: -.Pp .Bl -tag -width Fl .It Ar default Packets not matched by another queue are assigned to this one. @@ -1019,7 +1018,6 @@ evaluated in sequential order, from first to last. The last matching rule decides what action is taken. .Pp The following actions can be used in the filter: -.Pp .Bl -tag -width xxxx .It Ar block The packet is blocked. @@ -1151,7 +1149,10 @@ For a list of all the protocol name to number mappings used by .Xr pfctl 8 , see the file .Em /etc/protocols . -.It Ar from <source> port <source> os <source> to <dest> port <dest> +.It Xo +.Ar from <source> port <source> os <source> +.Ar to <dest> port <dest> +.Xc This rule applies only to packets with the specified source and destination addresses and ports. .Pp @@ -1758,19 +1759,17 @@ and would be OpenBSD for the firewall itself. The version of the oldest available OpenBSD release on the main ftp site would be 2.6 and the fingerprint would be written -.Bd -literal -offset indent -"OpenBSD 2.6" -.Ed +.Pp +.Dl \&"OpenBSD 2.6\&" .Pp The subtype of an operating system is typically used to describe the patchlevel if that patch led to changes in the TCP stack behavior. In the case of OpenBSD, the only subtype is for a fingerprint that was normalized by the .Ar no-df -scrub option and would be specified like -.Bd -literal -offset indent -"OpenBSD 3.3 no-df" -.Ed +scrub option and would be specified as +.Pp +.Dl \&"OpenBSD 3.3 no-df\&" .Pp Fingerprints for most popular operating systems are provided by .Xr pf.os 5 . @@ -1778,9 +1777,8 @@ Once .Xr pf 4 is running, a complete list of known operating system fingerprints may be listed by running: -.Bd -literal -offset indent -# pfctl -so -.Ed +.Pp +.Dl # pfctl -so .Pp Filter rules can enforce policy at any level of operating system specification assuming a fingerprint is present. @@ -2241,7 +2239,7 @@ pass in on $ext_if proto tcp from any to 157.161.48.183 port >= 49152 \e flags S/SA keep state # Do not allow Windows 9x SMTP connections since they are typically -# a viral worm. Alternately we could limit these OSes to 1 connection each. +# a viral worm. Alternately we could limit these OSes to 1 connection each. block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \e to any port smtp @@ -2457,6 +2455,8 @@ sc-spec = ( bandwidth-spec | Host name database. .It Pa /etc/pf.conf Default location of the ruleset file. +.It Pa /etc/pf.os +Default location of OS fingerprints. .It Pa /etc/protocols Protocol name database. .It Pa /etc/services @@ -2473,6 +2473,7 @@ Example rulesets. .Xr tcp 4 , .Xr udp 4 , .Xr hosts 5 , +.Xr pf.os 5 , .Xr protocols 5 , .Xr services 5 , .Xr ftp-proxy 8 , diff --git a/share/man/man5/pf.os.5 b/share/man/man5/pf.os.5 index 7de8e739d51..485f69a7323 100644 --- a/share/man/man5/pf.os.5 +++ b/share/man/man5/pf.os.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.os.5,v 1.3 2003/08/22 21:50:34 david Exp $ +.\" $OpenBSD: pf.os.5,v 1.4 2003/08/28 09:41:23 jmc Exp $ .\" .\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org> .\" @@ -25,9 +25,9 @@ The firewall and the .Xr tcpdump 8 program can both fingerprint the operating system of hosts that -originate a IPv4 TCP connection. +originate an IPv4 TCP connection. The file consists of newline-separated records, one per fingerprint, -containing twelve colon +containing nine colon .Pq Ql \&: separated fields. These fields are as follows: @@ -59,8 +59,11 @@ field corresponds to the th->th_win field in the TCP header and is the source host's advertised TCP window size. It may be between zero and 65,535 inclusive. The window size may be given as a multiple of a constant by prepending -the size with a percent sign '%' and the value will be used as a modulus. +the size with a percent sign +.Sq % +and the value will be used as a modulus. Three special values may be used for the window size: +.Pp .Bl -tag -width xxx -offset indent -compact .It * An asterisk will wildcard the value so any window size will match. @@ -96,11 +99,16 @@ SYN packet. Each option is described by a single character separated by a comma and certain ones may include a value. The options are: +.Pp .Bl -tag -width Description -offset indent -compact .It Mnnn maximum segment size (MSS) option. The value is the maximum packet size of the network link which may -include the '%' modulus or match all MSSes with the '*' value. +include the +.Sq % +modulus or match all MSSes with the +.Sq * +value. .It N the NOP option (NO Operation). .It T[0] @@ -112,15 +120,18 @@ the Selective ACKnowledgement OK (SACKOK) option. .It Wnnn window scaling option. The value is the size of the window scaling which may include the -'%' modulus or match all window scalings with the '*' value. +.Sq % +modulus or match all window scalings with the +.Sq * +value. .El .Pp -No TCP options in the fingerprint may be given with a single dot '.'. +No TCP options in the fingerprint may be given with a single dot +.Sq \&. . .Pp An example of OpenBSD's TCP options are: -.Bd -literal - M*,N,N,S,N,W0,N,N,T -.Ed +.Pp +.Dl M*,N,N,S,N,W0,N,N,T .Pp The first option .Ar M* @@ -166,16 +177,19 @@ patches or tweaking. .Pp The .Ar description -is is a general description of the operating system, it's version, +is a general description of the operating system, its version, patchlevel and any further useful details. .Sh EXAMPLES -The fingerprint of a plain OpenBSD 3.3 host is: +The fingerprint of a plain +.Ox 3.3 +host is: .Bd -literal 16384:64:1:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3::OpenBSD 3.3 .Ed .Pp -The fingerprint of an OpenBSD 3.3 host behind a PF scrubbing firewall -with a no-df rule would be: +The fingerprint of an +.Ox 3.3 +host behind a PF scrubbing firewall with a no-df rule would be: .Bd -literal 16384:64:0:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3:!df:OpenBSD 3.3 scrub no-df .Ed @@ -222,7 +236,7 @@ three bytes. .Pp In the above example, the packet size comes out to 44 bytes. .Sh SEE ALSO -.Xr pf.conf 5 , .Xr pf 4 , +.Xr pf.conf 5 , .Xr pfctl 8 , .Xr tcpdump 8 diff --git a/usr.sbin/tcpdump/tcpdump.8 b/usr.sbin/tcpdump/tcpdump.8 index f40eafde937..399937923ef 100644 --- a/usr.sbin/tcpdump/tcpdump.8 +++ b/usr.sbin/tcpdump/tcpdump.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tcpdump.8,v 1.38 2003/08/21 19:14:23 frantzen Exp $ +.\" $OpenBSD: tcpdump.8,v 1.39 2003/08/28 09:41:22 jmc Exp $ .\" .\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996 .\" The Regents of the University of California. All rights reserved. @@ -1249,8 +1249,9 @@ or a single .Pq no flags . .Ar src\&-os will list a guess of the source host's operating system if the -.Ar -o -command line flag was passed to tcpdump. +.Fl o +command line flag was passed to +.Nm tcpdump . .Ar data\&-seqno describes the portion of sequence space covered by the data in this packet (see example below). @@ -1941,7 +1942,7 @@ interrupt. .Sh SEE ALSO .\" traffic(1C), nit(4P), .Xr pcap 3 , -.Xr bpf 4 +.Xr bpf 4 , .Xr pf.os 5 .Sh AUTHORS Van Jacobson |