From: jmc Date: Thu, 8 Feb 2018 17:51:43 +0000 (+0000) Subject: tweak previous; ok henning X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=e7b473002524ea48f67bdebda415dc3b6a4bcc92;p=openbsd tweak previous; ok henning --- diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 77994dc6ee3..81546df5323 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.572 2018/02/08 09:14:19 henning Exp $ +.\" $OpenBSD: pf.conf.5,v 1.573 2018/02/08 17:51:43 jmc Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" Copyright (c) 2003 - 2013 Henning Brauer @@ -1358,17 +1358,17 @@ States can match packets on any interfaces (the default). .It Ic set Cm syncookies never | always | adaptive When .Cm syncookies -are active, pf will answer each and every incoming tcp SYN with a -syncookie SYNACK, without allocating any ressources. +are active, pf will answer each and every incoming TCP SYN with a +syncookie SYNACK, without allocating any resources. Upon reception of the client's ACK in response to the syncookie SYNACK, pf will evaluate the ruleset and create state if the ruleset -permits it, complete the three way handshake with the target host and -continue the connection with synproxy in place. +permits it, complete the three way handshake with the target host, +and continue the connection with synproxy in place. This allows pf to be resilient against large synflood attacks which would -run the state table against its limits otherwise. -Due to the blind answers to each and every SYN syncookies share the -caveats of synproxy, namely seemingly accepting connections that will be -dropped later on. +otherwise run the state table against its limits. +Due to the blind answers to each and every SYN, +syncookies share the caveats of synproxy: +seemingly accepting connections that will be dropped later on. .Pp .Bl -tag -width adaptive -compact .It Cm never @@ -1377,9 +1377,9 @@ pf will never send syncookie SYNACKs. pf will always send syncookie SYNACKs. .It Cm adaptive pf will enable syncookie mode when a given percentage of the state table -is used up by half-open tcp connections, as in, those that saw the initial +is used up by half-open TCP connections, such as those that saw the initial SYN but didn't finish the three way handshake. -The thresholds for entering and leaving syncookie mode can be specified using +The thresholds for entering and leaving syncookie mode can be specified using: .Bd -literal -offset indent set syncookies adaptive (start 25%, end 12%) .Ed