From 19f9c903fc2760f22631be7691d1815e98dca223 Mon Sep 17 00:00:00 2001 From: Ryan Thomas McBride Date: Tue, 7 Dec 2004 05:30:28 +0000 Subject: Change the default for 'overload flush' to flush only states from the offending source created by the rule. 'flush global' flushes all states originating from the offending source. ABI change, requires kernel and pfctl to be in sync. ok deraadt@ henning@ dhartmei@ --- share/man/man5/pf.conf.5 | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'share/man/man5') diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 4cf312d340e..837164fe3d8 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.307 2004/12/04 16:07:31 mcbride Exp $ +.\" $OpenBSD: pf.conf.5,v 1.308 2004/12/07 05:30:27 mcbride Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -1963,8 +1963,13 @@ host's bandwidth. .Pp The optional .Ar flush -keyword kills all existing states originating from hosts exceeding these -limits. +keyword kills all states created by the matching rule which originate +from the host which exceeds these limits. +The +.Ar global +modifier to the flush command kills all states originating from the +offending host, regardless of which rule created the state. +.Pp For example, the following rules will protect the webserver against hosts making more than 100 connections in 10 seconds. Any host which connects faster than this rate will have its address added @@ -1974,7 +1979,7 @@ by the block rule. .Bd -literal -offset indent block quick from pass in on $ext_if to $webserver port www flags S/SA keep state \e - (max-src-conn-rate 100/10, overflow flush) + (max-src-conn-rate 100/10, overflow flush global) .Ed .Sh OPERATING SYSTEM FINGERPRINTING Passive OS Fingerprinting is a mechanism to inspect nuances of a TCP -- cgit v1.2.3