From: sthen Date: Mon, 9 May 2022 21:48:00 +0000 (+0000) Subject: Mention in the "proto icmp" section that standard stateful rules (i.e. the X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=21de0b1bf0f91660cf011cd09094e842f433206c;p=openbsd Mention in the "proto icmp" section that standard stateful rules (i.e. the default type of PF rule) don't allow ICMP responses unless they match an existing state - tweak "keep state (sloppy)" to suggest from the first sentence of the paragraph that it affects more than TCP. ok sashan@ bluhm@ --- diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index a0ab275e537..4b72225d91b 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.594 2022/05/09 20:29:23 sashan Exp $ +.\" $OpenBSD: pf.conf.5,v 1.595 2022/05/09 21:48:00 sthen Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" Copyright (c) 2003 - 2013 Henning Brauer @@ -594,6 +594,13 @@ or .Pc must match. .Pp +ICMP responses are not permitted unless they either match an +existing request, or unless +.Cm no state +or +.Cm keep state (sloppy) +is specified. +.Pp .It Cm label Ar string Adds a label to the rule, which can be used to identify the rule. For instance, @@ -2177,7 +2184,7 @@ States created by this rule are exported on the .Xr pflow 4 interface. .It Cm sloppy -Uses a sloppy TCP connection tracker that does not check sequence +For TCP, uses a sloppy connection tracker that does not check sequence numbers at all, which makes insertion and ICMP teardown attacks way easier. This is intended to be used in situations where one does not see all @@ -2186,7 +2193,8 @@ It cannot be used with .Cm modulate state or .Cm synproxy state . -With this option ICMP replies can create states. +For ICMP, this option allows states to be created from replies, +not just requests. .It Ar timeout seconds Changes the .Ar timeout