summaryrefslogtreecommitdiff
path: root/share
diff options
context:
space:
mode:
Diffstat (limited to 'share')
-rw-r--r--share/man/man5/pf.conf.513
1 files changed, 7 insertions, 6 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 019c65f4049..fd84608a115 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.149 2002/12/10 00:33:33 margarida Exp $
+.\" $OpenBSD: pf.conf.5,v 1.150 2002/12/10 01:38:41 margarida Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -710,7 +710,7 @@ Common protocols are
.Xr udp 4 ,
.Xr icmp 4 ,
and
-.Xr icmp6 .
+.Xr icmp6 4 .
.It Pa from <source> port <source> to <dest> port <dest>
The rule applies only to packets with the specified source and destination
addresses and ports.
@@ -824,7 +824,7 @@ The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R.
Flag SYN is set.
The other flags are ignored.
.It Em flags S/SA
-Of SYN and ACK, exactly SYN is set.
+Out of SYN and ACK, exactly SYN may be set.
SYN, SYN+PSH, SYN+RST match, but SYN+ACK, ACK and ACK+RST do not.
This is more restrictive than the previous example.
.It Em flags /SFRA
@@ -984,7 +984,7 @@ ruleset is reloaded.
.It Em round-robin
The
.Pa round-robin
-option loops through the redirection address(s).
+option loops through the redirection address(es).
.Pp
When more than one redirection address is specified,
.Pa round-robin
@@ -1207,7 +1207,7 @@ Besides the use of
.Pa scrub
rules as described in
.Pa TRAFFIC NORMALIZATION
-above, there are three options for handling fragments in the packet filter
+above, there are three options for handling fragments in the packet filter.
.Pp
The alternative is to filter individual fragments with filter rules.
If no
@@ -1231,7 +1231,8 @@ For instance, the rule
.Bd -literal
pass in proto tcp from any to any port 80
.Ed
-.Pp never applies to a fragment, even if the fragment is part of a TCP
+.Pp
+never applies to a fragment, even if the fragment is part of a TCP
packet with destination port 80, because without reassembly, this information
is not available for each fragment.
This also means that fragments cannot create new or match existing