diff options
| -rw-r--r-- | share/man/man5/spamd.conf.5 | 59 | ||||
| -rw-r--r-- | usr.sbin/authpf/authpf.8 | 124 |
2 files changed, 80 insertions, 103 deletions
diff --git a/share/man/man5/spamd.conf.5 b/share/man/man5/spamd.conf.5 index 82d0d3800f3..2a4f3c32f0c 100644 --- a/share/man/man5/spamd.conf.5 +++ b/share/man/man5/spamd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: spamd.conf.5,v 1.6 2003/03/09 02:37:58 deraadt Exp $ +.\" $OpenBSD: spamd.conf.5,v 1.7 2003/03/11 09:24:58 jmc Exp $ .\" .\" Copyright (c) 2003 Jason L. Wright (jason@thought.net) .\" Copyright (c) 2003 Bob Beck @@ -54,26 +54,26 @@ follows the syntax of configuration databases as documented in .Xr getcap 3 . Example: .Bd -literal -offset indent -.Ic all:\e -.Ic :spews1:white:myblack:\e -.Ic -.Ic spews1:\e -.Ic :black\e -.Ic :msg="SPAM. Your address \&%A is in the spews\e -.Ic level 1 database\ensee http://www.spews.org/ask.cgi?x=\&%A\en":\e -.Ic :method=http:\e -.Ic :file=www.spews.org/spews_list_level1.txt: -.Ic \ \ -.Ic white:\e -.Ic :white:\e -.Ic :method=file:\e -.Ic :file=/var/mail/mywhite.txt:\e -.Ic \ \ -.Ic myblack:\e -.Ic :black:\e -.Ic :msg=/var/mail/myblackmsg.txt:\e -.Ic :method=file:\e -.Ic :file=/var/mail/myblack.txt +all:\e + :spews1:white:myblack:\e +.Pp +spews1:\e + :black\e + :msg="SPAM. Your address \&%A is in the spews\e + level 1 database\ensee http://www.spews.org/ask.cgi?x=\&%A\en":\e + :method=http:\e + :file=www.spews.org/spews_list_level1.txt: +.Pp +white:\e + :white:\e + :method=file:\e + :file=/var/mail/mywhite.txt:\e +.Pp +myblack:\e + :black:\e + :msg=/var/mail/myblackmsg.txt:\e + :method=file:\e + :file=/var/mail/myblack.txt .Ed .Pp The default configuration file must include the entry @@ -101,9 +101,8 @@ from .Ar myblack , the configuration .Bd -literal -offset indent -.Ic all:\e -.Ic :spews1:white:myblack:white:\e -.Ic +all:\e + :spews1:white:myblack:white:\e .Ed would be used instead. .Pp @@ -156,12 +155,12 @@ are ignored. Network blocks may be specified in any of the formats as in the following example: .Bd -literal -offset indent -.Ic # CIDR format -.Ic 192.168.20.0/24 -.Ic # A start - end range -.Ic 192.168.21.0 - 192.168.21.255 -.Ic # As a single IP address -.Ic 192.168.23.1 +# CIDR format +192.168.20.0/24 +# A start - end range +192.168.21.0 - 192.168.21.255 +# As a single IP address +192.168.23.1 .Ed .Pp Each blacklist must include a message, specified in the diff --git a/usr.sbin/authpf/authpf.8 b/usr.sbin/authpf/authpf.8 index 7d7d268f9b2..4e6a1d6821a 100644 --- a/usr.sbin/authpf/authpf.8 +++ b/usr.sbin/authpf/authpf.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: authpf.8,v 1.23 2003/03/10 15:37:29 jmc Exp $ +.\" $OpenBSD: authpf.8,v 1.24 2003/03/11 09:24:57 jmc Exp $ .\" .\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>. All rights reserved. .\" @@ -93,10 +93,10 @@ in order to cause evaluation of any .Nm rules: .Bd -literal -.Ic nat-anchor authpf -.Ic rdr-anchor authpf -.Ic binat-anchor authpf -.Ic anchor authpf +nat-anchor authpf +rdr-anchor authpf +binat-anchor authpf +anchor authpf .Ed .Pp .Sh FILTER AND TRANSLATION RULES @@ -311,21 +311,21 @@ To make that happen, .Xr login.conf 5 should have entries that look something like this: .Bd -literal -.Ic shell-default:shell=/bin/csh +shell-default:shell=/bin/csh .Pp -.Ic default:\e -.Ic \ \ \ \ ... -.Ic \ \ \ \ :shell=/usr/sbin/authpf +default:\e + ... + :shell=/usr/sbin/authpf .Pp -.Ic daemon:\e -.Ic \ \ \ \ ... -.Ic \ \ \ \ :shell=/bin/csh:\e -.Ic \ \ \ \ :tc=default: +daemon:\e + ... + :shell=/bin/csh:\e + :tc=default: .Pp -.Ic staff:\e -.Ic \ \ \ \ ... -.Ic \ \ \ \ :shell=/bin/csh:\e -.Ic \ \ \ \ :tc=default: +staff:\e + ... + :shell=/bin/csh:\e + :tc=default: .Ed .Pp Using a default password file, all users will get @@ -339,8 +339,8 @@ must be properly configured to detect and defeat network attacks. To that end, the following options should be added to .Xr sshd_config 5 : .Bd -literal -.Ic ClientAliveInterval 15 -.Ic ClientAliveCountMax 3 +ClientAliveInterval 15 +ClientAliveCountMax 3 .Ed .Pp This ensures that unresponsive or spoofed sessions are terminated within a @@ -354,25 +354,17 @@ of .Pa /etc/motd or something as simple as the following: .Bd -literal -offset indent -.Xo Ic This means you will be held accountable\ -.Ic by the powers that be -.Xc -.Xo Ic for traffic originating from your machine,\ -.Ic so please play nice. -.Xc +This means you will be held accountable by the powers that be +for traffic originating from your machine, so please play nice. .Ed .Pp To tell the user where to go when the system is broken, .Pa /etc/authpf/authpf.problem could contain something like this: .Bd -literal -offset indent -.Xo Ic Sorry, there appears to be some system\ -.Ic problem. To report this -.Xc -.Xo Ic problem so we can fix it, please\ -.Ic phone 1-900-314-1597 or send -.Xc -.Ic an email to remove@bulkmailerz.net. +Sorry, there appears to be some system problem. To report this +problem so we can fix it, please phone 1-900-314-1597 or send +an email to remove@bulkmailerz.net. .Ed .Pp \fBPacket Filter Rules\fP - In areas where this gateway is used to protect a @@ -394,21 +386,17 @@ Example .Bd -literal # by default we allow internal clients to talk to us using # ssh and use us as a dns server. -.Ic internal_if=\&"fxp1\&" -.Ic gateway_addr=\&"10.0.1.1\&" -.Ic nat-anchor authpf -.Ic rdr-anchor authpf -.Ic binat-anchor authpf -.Ic block in on $internal_if from any to any -.Xo Ic pass in quick on $internal_if proto tcp\ -.Ic from any to $gateway_addr \e -.Xc -.Ic \ \ port = ssh -.Xo Ic pass in quick on $internal_if proto udp\ -.Ic from any to $gateway_addr \e -.Xc -.Ic \ \ port = domain -.Ic anchor authpf +internal_if=\&"fxp1\&" +gateway_addr=\&"10.0.1.1\&" +nat-anchor authpf +rdr-anchor authpf +binat-anchor authpf +block in on $internal_if from any to any +pass in quick on $internal_if proto tcp from any to $gateway_addr \e + port = ssh +pass in quick on $internal_if proto udp from any to $gateway_addr \e + port = domain +anchor authpf .Ed .Pp Example @@ -416,14 +404,12 @@ Example .Bd -literal # no real restrictions here, basically turn the network jack off or on. .Pp -.Ic external_if = \&"xl0\&" -.Ic internal_if = \&"fxp0\&" +external_if = \&"xl0\&" +internal_if = \&"fxp0\&" .Pp -.Xo Ic pass in log quick on $internal_if proto\ -.Ic tcp from $user_ip to any \e -.Xc -.Ic \ \ keep state -.Ic pass in quick on $internal_if from $user_ip to any +pass in log quick on $internal_if proto tcp from $user_ip to any \e + keep state +pass in quick on $internal_if from $user_ip to any .Ed .Pp Another example @@ -431,30 +417,22 @@ Another example for an insecure network (such as a public wireless network) where we might need to be a bit more restrictive. .Bd -literal -.Ic internal_if=\&"fxp1\&" -.Ic ipsec_gw=\&"10.2.3.4\&" +internal_if=\&"fxp1\&" +ipsec_gw=\&"10.2.3.4\&" .Pp # rdr ftp for proxying by ftp-proxy(8) -.Xo Ic rdr on $internal_if proto tcp from\ -.Ic $user_ip to any port 21 \e -.Xc -.Ic \ \ -> 127.0.0.1 port 8081 +rdr on $internal_if proto tcp from $user_ip to any port 21 \e + -> 127.0.0.1 port 8081 .Pp # allow out ftp, ssh, www and https only, and allow user to negotiate # ipsec with the ipsec server. -.Xo Ic pass in log quick on $internal_if\ -.Ic proto tcp from $user_ip to any \e -.Xc -.Ic \ \ port { 21, 22, 80, 443 } flags S/SA -.Xo Ic pass in quick on $internal_if proto\ -.Ic tcp from $user_ip to any \e -.Xc -.Ic \ \ port { 21, 22, 80, 443 } -.Xo Ic pass in quick proto udp from $user_ip\ -.Ic to $ipsec_gw port = isakmp \e -.Xc -.Ic \ \ keep state -.Ic pass in quick proto esp from $user_ip to $ipsec_gw +pass in log quick on $internal_if proto tcp from $user_ip to any \e + port { 21, 22, 80, 443 } flags S/SA +pass in quick on $internal_if proto tcp from $user_ip to any \e + port { 21, 22, 80, 443 } +pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp \e + keep state +pass in quick proto esp from $user_ip to $ipsec_gw .Ed .Sh FILES .Bl -tag -width "/etc/authpf/authpf.conf" -compact |