From 3046bcdd2fc2eb2169e91d9f8b8f59bdb5151f47 Mon Sep 17 00:00:00 2001
From: Jason McIntyre <jmc@cvs.openbsd.org>
Date: Tue, 21 Apr 2009 16:04:28 +0000
Subject: tweak NORMALIZATION;

---
 share/man/man5/pf.conf.5 | 28 +++++++++++++---------------
 1 file changed, 13 insertions(+), 15 deletions(-)

(limited to 'share/man')

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 7a3b175b5b4..b16c998f203 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.431 2009/04/21 14:08:18 jmc Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.432 2009/04/21 16:04:27 jmc Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -1704,16 +1704,15 @@ Enforces a maximum MSS for matching TCP packets.
 .It Xo Ar set-tos Aq Ar string
 .No \*(Ba Aq Ar number
 .Xc
-Enforces a
-.Em TOS
-for matching IP packets.
-.Em TOS
-may be
-given as one of
+Enforces a TOS for matching IP packets.
+.Ar string
+may be one of
 .Ar lowdelay ,
 .Ar throughput ,
-.Ar reliability ,
-or as either hex or decimal.
+or
+.Ar reliability ;
+.Ar number
+may be either a hex or decimal number.
 .It Ar random-id
 Replaces the IP identification field with random values to compensate
 for predictable values generated by many hosts.
@@ -1723,16 +1722,15 @@ after the optional fragment reassembly.
 Statefully normalizes TCP connections.
 .Ar reassemble tcp
 performs the following normalizations:
-.Pp
-.Bl -tag -width timeout -compact
-.It ttl
+.Bl -ohang
+.It TTL
 Neither side of the connection is allowed to reduce their IP TTL.
 An attacker may send a packet such that it reaches the firewall, affects
 the firewall state, and expires before reaching the destination host.
 .Ar reassemble tcp
 will raise the TTL of all packets back up to the highest value seen on
 the connection.
-.It timestamp modulation
+.It Timestamp Modulation
 Modern TCP stacks will send a timestamp on every TCP packet and echo
 the other endpoint's timestamp back to them.
 Many operating systems will merely start the timestamp at zero when
@@ -1749,7 +1747,7 @@ guessable base time.
 will cause
 .Ar scrub
 to modulate the TCP timestamps with a random number.
-.It extended PAWS checks
+.It Extended PAWS Checks
 There is a problem with TCP on long fat pipes, in that a packet might get
 delayed for longer than it takes the connection to wrap its 32-bit sequence
 space.
@@ -1770,7 +1768,7 @@ blind attacker would have to guess the timestamp as well.
 .El
 .El
 .Pp
-For example,
+For example:
 .Bd -literal -offset indent
 match in all scrub (no-df max-mss 1440)
 .Ed
-- 
cgit v1.2.3