CVS commit: src/dist/pf/share/man
Module Name:src Committed By: maxv Date: Fri Aug 17 12:36:53 UTC 2018 Modified Files: src/dist/pf/share/man/man4: pflog.4 pfsync.4 src/dist/pf/share/man/man5: pf.conf.5 pf.os.5 Log Message: Add a deprecation note in each of the PF man pages (instead of just pf.4), so that it's really clear. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/dist/pf/share/man/man4/pflog.4 \ src/dist/pf/share/man/man4/pfsync.4 cvs rdiff -u -r1.16 -r1.17 src/dist/pf/share/man/man5/pf.conf.5 cvs rdiff -u -r1.6 -r1.7 src/dist/pf/share/man/man5/pf.os.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/dist/pf/share/man/man4/pflog.4 diff -u src/dist/pf/share/man/man4/pflog.4:1.6 src/dist/pf/share/man/man4/pflog.4:1.7 --- src/dist/pf/share/man/man4/pflog.4:1.6 Sun Mar 22 14:29:34 2009 +++ src/dist/pf/share/man/man4/pflog.4 Fri Aug 17 12:36:53 2018 @@ -1,4 +1,4 @@ -.\" $NetBSD: pflog.4,v 1.6 2009/03/22 14:29:34 perry Exp $ +.\" $NetBSD: pflog.4,v 1.7 2018/08/17 12:36:53 maxv Exp $ .\" $OpenBSD: pflog.4,v 1.10 2007/05/31 19:19:51 jmc Exp $ .\" .\" Copyright (c) 2001 Tobias Weingartner @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd May 31, 2007 +.Dd August 17, 2018 .Dt PFLOG 4 .Os .Sh NAME @@ -33,6 +33,13 @@ .Sh SYNOPSIS .Cd "pseudo-device pflog" .Sh DESCRIPTION +.Bf -symbolic +The NetBSD version of PF is obsolete, and its use is strongly discouraged. +Use +.Xr npf 7 +instead. +.Pp +.Ef The .Nm pflog interface is a pseudo-device which makes visible all packets logged by Index: src/dist/pf/share/man/man4/pfsync.4 diff -u src/dist/pf/share/man/man4/pfsync.4:1.6 src/dist/pf/share/man/man4/pfsync.4:1.7 --- src/dist/pf/share/man/man4/pfsync.4:1.6 Mon Apr 12 21:28:23 2010 +++ src/dist/pf/share/man/man4/pfsync.4 Fri Aug 17 12:36:53 2018 @@ -1,4 +1,4 @@ -.\" $NetBSD: pfsync.4,v 1.6 2010/04/12 21:28:23 wiz Exp $ +.\" $NetBSD: pfsync.4,v 1.7 2018/08/17 12:36:53 maxv Exp $ .\" $OpenBSD: pfsync.4,v 1.25 2007/05/31 19:19:51 jmc Exp $ .\" .\" Copyright (c) 2002 Michael Shalayeff @@ -25,7 +25,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd April 12, 2010 +.Dd August 17, 2018 .Dt PFSYNC 4 .Os .Sh NAME @@ -34,6 +34,13 @@ .Sh SYNOPSIS .Cd "pseudo-device pfsync" .Sh DESCRIPTION +.Bf -symbolic +The NetBSD version of PF is obsolete, and its use is strongly discouraged. +Use +.Xr npf 7 +instead. +.Pp +.Ef The .Nm interface is a pseudo-device which exposes certain changes to the state Index: src/dist/pf/share/man/man5/pf.conf.5 diff -u src/dist/pf/share/man/man5/pf.conf.5:1.16 src/dist/pf/share/man/man5/pf.conf.5:1.17 --- src/dist/pf/share/man/man5/pf.conf.5:1.16 Wed Oct 14 17:44:25 2009 +++ src/dist/pf/share/man/man5/pf.conf.5 Fri Aug 17 12:36:53 2018 @@ -1,4 +1,4 @@ -.\" $NetBSD: pf.conf.5,v 1.16 2009/10/14 17:44:25 joerg Exp $ +.\" $NetBSD: pf.conf.5,v 1.17 2018/08/17 12:36:53 maxv Exp $ .\" $OpenBSD: pf.conf.5,v 1.383 2007/07/17 16:27:38 jmc Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier @@ -28,13 +28,20 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd June 26, 2007 +.Dd August 17, 2018 .Dt PF.CONF 5 .Os .Sh NAME .Nm pf.conf .Nd packet filter configuration file .Sh DESCRIPTION +.Bf -symbolic +The NetBSD version of PF is obsolete, and its use is strongly discouraged. +Use +.Xr npf 7 +instead. +.Pp +.Ef The .Xr pf 4 packet filter modifies, drops or passes packets according to rules or Index: src/dist/pf/share/man/man5/pf.os.5 diff -u src/dist/pf/share/man/man5/pf.os.5:1.6 src/dist/pf/share/man/man5/pf.os.5:1.7 --- src/dist/pf/share/man/man5/pf.os.5:1.6 Sun Mar 22 14:29:35 2009 +++ src/dist/pf/share/man/man5/pf.os.5 Fri Aug 17 12:36:53 2018 @@ -1,4 +1,4 @@ -.\" $NetBSD: pf.os.5,v 1.6 2009/03/22 14:29:35 perry Exp $ +.\" $NetBSD: pf.os.5,v 1.7 2018/08/17 12:36:53 maxv Exp $ .\" $OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $ .\" .\" Copyright (c) 2003 Mike Frantzen @@ -14,13 +14,20 @@ .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.Dd May 31, 2007 +.Dd August 17, 2018 .Dt PF.OS 5 .Os .Sh NAME .Nm pf.os .Nd format of the operating system fingerprints file .Sh DESCRIPTION +.Bf -symbolic +The NetBSD version of PF is obsolete, and its use is strongly discouraged. +Use +.Xr npf 7 +instead. +.Pp +.Ef The .Xr pf 4 firewall and the
CVS commit: src/dist/pf/share/man
Module Name:src Committed By: maxv Date: Fri Aug 17 12:36:53 UTC 2018 Modified Files: src/dist/pf/share/man/man4: pflog.4 pfsync.4 src/dist/pf/share/man/man5: pf.conf.5 pf.os.5 Log Message: Add a deprecation note in each of the PF man pages (instead of just pf.4), so that it's really clear. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/dist/pf/share/man/man4/pflog.4 \ src/dist/pf/share/man/man4/pfsync.4 cvs rdiff -u -r1.16 -r1.17 src/dist/pf/share/man/man5/pf.conf.5 cvs rdiff -u -r1.6 -r1.7 src/dist/pf/share/man/man5/pf.os.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/dist/pf/share/man/man4
Module Name:src Committed By: maxv Date: Wed Aug 1 13:30:14 UTC 2018 Modified Files: src/dist/pf/share/man/man4: pf.4 Log Message: Add a bold note to say our PF is obsolete. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 src/dist/pf/share/man/man4/pf.4 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/dist/pf/share/man/man4/pf.4 diff -u src/dist/pf/share/man/man4/pf.4:1.12 src/dist/pf/share/man/man4/pf.4:1.13 --- src/dist/pf/share/man/man4/pf.4:1.12 Sat Dec 19 14:05:53 2009 +++ src/dist/pf/share/man/man4/pf.4 Wed Aug 1 13:30:13 2018 @@ -1,4 +1,4 @@ -.\" $NetBSD: pf.4,v 1.12 2009/12/19 14:05:53 ahoka Exp $ +.\" $NetBSD: pf.4,v 1.13 2018/08/01 13:30:13 maxv Exp $ .\" $OpenBSD: pf.4,v 1.59 2007/05/31 19:19:51 jmc Exp $ .\" .\" Copyright (C) 2001, Kjell Wooding. All rights reserved. @@ -27,7 +27,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd December 19, 2009 +.Dd August 1, 2018 .Dt PF 4 .Os .Sh NAME @@ -36,6 +36,13 @@ .Sh SYNOPSIS .Cd "pseudo-device pf" .Sh DESCRIPTION +.Bf -symbolic +The NetBSD version of PF is obsolete, and its use is strongly discouraged. +Use +.Xr npf 7 +instead. +.Pp +.Ef Packet filtering takes place in the kernel. A pseudo-device, .Pa /dev/pf ,
CVS commit: src/dist/pf/share/man/man4
Module Name:src Committed By: maxv Date: Wed Aug 1 13:30:14 UTC 2018 Modified Files: src/dist/pf/share/man/man4: pf.4 Log Message: Add a bold note to say our PF is obsolete. To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 src/dist/pf/share/man/man4/pf.4 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/dist/pf/share/man/man4
Module Name:src Committed By: ahoka Date: Mon Apr 12 14:26:11 UTC 2010 Modified Files: src/dist/pf/share/man/man4: pfsync.4 Log Message: mention pfsync not working as a kernel module To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/dist/pf/share/man/man4/pfsync.4 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/dist/pf/share/man/man4/pfsync.4 diff -u src/dist/pf/share/man/man4/pfsync.4:1.4 src/dist/pf/share/man/man4/pfsync.4:1.5 --- src/dist/pf/share/man/man4/pfsync.4:1.4 Sun Oct 4 18:07:26 2009 +++ src/dist/pf/share/man/man4/pfsync.4 Mon Apr 12 14:26:11 2010 @@ -1,4 +1,4 @@ -.\ $NetBSD: pfsync.4,v 1.4 2009/10/04 18:07:26 joerg Exp $ +.\ $NetBSD: pfsync.4,v 1.5 2010/04/12 14:26:11 ahoka Exp $ .\ $OpenBSD: pfsync.4,v 1.25 2007/05/31 19:19:51 jmc Exp $ .\ .\ Copyright (c) 2002 Michael Shalayeff @@ -246,3 +246,8 @@ .Nm device first appeared in .Ox 3.3 . +.Sh CAVEATS +.Nm +is not available when using +.Xr pf 4 +as a kernel module.
CVS commit: src/dist/pf/share/man/man4
Module Name:src Committed By: wiz Date: Mon Apr 12 21:28:24 UTC 2010 Modified Files: src/dist/pf/share/man/man4: pfsync.4 Log Message: Bump date for new CAVEATS. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/dist/pf/share/man/man4/pfsync.4 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/dist/pf/share/man/man4/pfsync.4 diff -u src/dist/pf/share/man/man4/pfsync.4:1.5 src/dist/pf/share/man/man4/pfsync.4:1.6 --- src/dist/pf/share/man/man4/pfsync.4:1.5 Mon Apr 12 14:26:11 2010 +++ src/dist/pf/share/man/man4/pfsync.4 Mon Apr 12 21:28:23 2010 @@ -1,4 +1,4 @@ -.\ $NetBSD: pfsync.4,v 1.5 2010/04/12 14:26:11 ahoka Exp $ +.\ $NetBSD: pfsync.4,v 1.6 2010/04/12 21:28:23 wiz Exp $ .\ $OpenBSD: pfsync.4,v 1.25 2007/05/31 19:19:51 jmc Exp $ .\ .\ Copyright (c) 2002 Michael Shalayeff @@ -25,7 +25,7 @@ .\ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\ -.Dd September 14, 2009 +.Dd April 12, 2010 .Dt PFSYNC 4 .Os .Sh NAME
CVS commit: src/dist/pf/share/man/man4
Module Name:src Committed By: ahoka Date: Mon Apr 12 14:26:11 UTC 2010 Modified Files: src/dist/pf/share/man/man4: pfsync.4 Log Message: mention pfsync not working as a kernel module To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/dist/pf/share/man/man4/pfsync.4 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/dist/pf/share/man/man4
Module Name:src Committed By: wiz Date: Mon Apr 12 21:28:24 UTC 2010 Modified Files: src/dist/pf/share/man/man4: pfsync.4 Log Message: Bump date for new CAVEATS. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/dist/pf/share/man/man4/pfsync.4 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/dist/pf/share/man/man4
Module Name:src Committed By: ahoka Date: Sat Dec 19 14:05:53 UTC 2009 Modified Files: src/dist/pf/share/man/man4: pf.4 Log Message: Remove the notice about pfsync not being supported, as we have it now. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/dist/pf/share/man/man4/pf.4 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/dist/pf/share/man/man4/pf.4 diff -u src/dist/pf/share/man/man4/pf.4:1.11 src/dist/pf/share/man/man4/pf.4:1.12 --- src/dist/pf/share/man/man4/pf.4:1.11 Mon Sep 14 11:17:49 2009 +++ src/dist/pf/share/man/man4/pf.4 Sat Dec 19 14:05:53 2009 @@ -1,4 +1,4 @@ -.\ $NetBSD: pf.4,v 1.11 2009/09/14 11:17:49 wiz Exp $ +.\ $NetBSD: pf.4,v 1.12 2009/12/19 14:05:53 ahoka Exp $ .\ $OpenBSD: pf.4,v 1.59 2007/05/31 19:19:51 jmc Exp $ .\ .\ Copyright (C) 2001, Kjell Wooding. All rights reserved. @@ -27,7 +27,7 @@ .\ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\ SUCH DAMAGE. .\ -.Dd September 14, 2009 +.Dd December 19, 2009 .Dt PF 4 .Os .Sh NAME @@ -1146,8 +1146,6 @@ .Nx : .Bl -bullet -offset indent .It -The pfsync protocol is not supported. -.It The .Em group keyword is not supported.
CVS commit: src/dist/pf/share/man/man5
Module Name:src Committed By: joerg Date: Wed Oct 14 17:44:25 UTC 2009 Modified Files: src/dist/pf/share/man/man5: pf.conf.5 Log Message: Do not use .Xo/.Xc to workaround ancient groff limits. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 src/dist/pf/share/man/man5/pf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/dist/pf/share/man/man5/pf.conf.5 diff -u src/dist/pf/share/man/man5/pf.conf.5:1.15 src/dist/pf/share/man/man5/pf.conf.5:1.16 --- src/dist/pf/share/man/man5/pf.conf.5:1.15 Sun Mar 22 14:29:35 2009 +++ src/dist/pf/share/man/man5/pf.conf.5 Wed Oct 14 17:44:25 2009 @@ -1,4 +1,4 @@ -.\ $NetBSD: pf.conf.5,v 1.15 2009/03/22 14:29:35 perry Exp $ +.\ $NetBSD: pf.conf.5,v 1.16 2009/10/14 17:44:25 joerg Exp $ .\ $OpenBSD: pf.conf.5,v 1.383 2007/07/17 16:27:38 jmc Exp $ .\ .\ Copyright (c) 2002, Daniel Hartmeier @@ -1407,13 +1407,8 @@ .Xr pfctl 8 , see the file .Em /etc/protocols . -.It Xo -.Ar from Aq Ar source -.Ar port Aq Ar source -.Ar os Aq Ar source -.Ar to Aq Ar dest -.Ar port Aq Ar dest -.Xc +.It Ar from Ao Ar source Ac Ar port Ao Ar source Ac Ar os Ao Ar source Ac \ +Ar to Ao Ar dest Ac Ar port Aq Ar dest This rule applies only to packets with the specified source and destination addresses and ports. .Pp @@ -1592,11 +1587,8 @@ block out proto { tcp, udp } all pass out proto { tcp, udp } all user { \*(Lt 1000, dhartmei } .Ed -.It Xo Ar flags Aq Ar a -.Pf / Ns Aq Ar b -.No \*(Ba / Ns Aq Ar b -.No \*(Ba any -.Xc +.It Ar flags Ao Ar a Ac Pf / Ns Ao Ar b Ac No \*(Ba / Ns \ +Ao Ar b Ac No \*(Ba any This rule only applies to TCP packets that have the flags .Aq Ar a set out of set @@ -1648,12 +1640,8 @@ .Ar reassemble tcp will also not be recoverable from intermediate packets. Such connections will stall and time out. -.It Xo Ar icmp-type Aq Ar type -.Ar code Aq Ar code -.Xc -.It Xo Ar icmp6-type Aq Ar type -.Ar code Aq Ar code -.Xc +.It Ar icmp-type Ao Ar type Ac Ar code Ao Ar code Ac +.It Ar icmp6-type Ao Ar type Ac Ar code Ao Ar code Ac This rule only applies to ICMP or ICMPv6 packets with the specified type and code. Text names for ICMP types and codes are listed in @@ -1669,9 +1657,7 @@ .Ar icmp6-type .Pc must match. -.It Xo Ar tos Aq Ar string -.No \*(Ba Aq Ar number -.Xc +.It Ar tos Ao Ar string Ac No \*(Ba Aq Ar number This rule applies to packets with the specified .Em TOS bits set. @@ -1747,10 +1733,7 @@ The macro expansion for the .Ar label directive occurs only at configuration file parse time, not during runtime. -.It Xo Ar queue Aq Ar queue -.No \*(Ba ( Aq Ar queue , -.Aq Ar queue ) -.Xc +.It Ar queue Ao Ar queue Ac No \*(Ba ( Ao Ar queue Ac , Aq Ar queue ) Packets matching this rule will be assigned to the specified queue. If two queues are given, packets which have a .Em TOS @@ -2030,9 +2013,7 @@ .\ Prevent state changes for states created by this rule from appearing on the .\ .Xr pfsync 4 .\ interface. -.It Xo Aq Ar timeout -.Aq Ar seconds -.Xc +.It Ao Ar timeout Ac Aq Ar seconds Changes the timeout values used for states created by this rule. For a list of all valid timeout names, see .Sx OPTIONS @@ -2089,9 +2070,7 @@ .It Ar max-src-conn Aq Ar number Limits the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make. -.It Xo Ar max-src-conn-rate Aq Ar number -.No / Aq Ar seconds -.Xc +.It Ar max-src-conn-rate Ao Ar number Ac No / Aq Ar seconds Limit the rate of new connections over a time interval. The connection rate is an approximation calculated as a moving average. .El @@ -2372,10 +2351,7 @@ .It Ar anchor Aq Ar name Evaluates the filter rules in the specified .Ar anchor . -.It Xo Ar load anchor -.Aq Ar name -.Ar from Aq Ar file -.Xc +.It Ar load anchor Ao Ar name Ac Ar from Aq Ar file Loads the rules from the specified file into the anchor .Ar name .
CVS commit: src/dist/pf/share/man/man4
Module Name:src Committed By: joerg Date: Sun Oct 4 18:07:26 UTC 2009 Modified Files: src/dist/pf/share/man/man4: pfsync.4 Log Message: .Xr takes two arguments only. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/dist/pf/share/man/man4/pfsync.4 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/dist/pf/share/man/man4/pfsync.4 diff -u src/dist/pf/share/man/man4/pfsync.4:1.3 src/dist/pf/share/man/man4/pfsync.4:1.4 --- src/dist/pf/share/man/man4/pfsync.4:1.3 Mon Sep 14 11:45:01 2009 +++ src/dist/pf/share/man/man4/pfsync.4 Sun Oct 4 18:07:26 2009 @@ -1,4 +1,4 @@ -.\ $NetBSD: pfsync.4,v 1.3 2009/09/14 11:45:01 degroote Exp $ +.\ $NetBSD: pfsync.4,v 1.4 2009/10/04 18:07:26 joerg Exp $ .\ $OpenBSD: pfsync.4,v 1.25 2007/05/31 19:19:51 jmc Exp $ .\ .\ Copyright (c) 2002 Michael Shalayeff @@ -125,7 +125,8 @@ Either run the pfsync protocol on a trusted network \- ideally a network dedicated to pfsync messages such as a crossover cable between two firewalls, or specify a peer address and protect the traffic with -.Xr ipsec 4 (it is not supported at the moment on +.Xr ipsec 4 +(it is not supported at the moment on .Nx due to the lack of any encapsulation pseudo-device). .Pp
CVS commit: src/dist/pf/share/man/man4
Module Name:src Committed By: wiz Date: Mon Sep 14 11:17:42 UTC 2009 Modified Files: src/dist/pf/share/man/man4: pfsync.4 Log Message: Fix Dd argument. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/dist/pf/share/man/man4/pfsync.4 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/dist/pf/share/man/man4/pfsync.4 diff -u src/dist/pf/share/man/man4/pfsync.4:1.1 src/dist/pf/share/man/man4/pfsync.4:1.2 --- src/dist/pf/share/man/man4/pfsync.4:1.1 Mon Sep 14 10:36:48 2009 +++ src/dist/pf/share/man/man4/pfsync.4 Mon Sep 14 11:17:42 2009 @@ -1,4 +1,4 @@ -.\ $NetBSD: pfsync.4,v 1.1 2009/09/14 10:36:48 degroote Exp $ +.\ $NetBSD: pfsync.4,v 1.2 2009/09/14 11:17:42 wiz Exp $ .\ $OpenBSD: pfsync.4,v 1.25 2007/05/31 19:19:51 jmc Exp $ .\ .\ Copyright (c) 2002 Michael Shalayeff @@ -25,7 +25,7 @@ .\ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\ -.Dd $Mdocdate: May 31 2007 $ +.Dd September 14, 2009 .Dt PFSYNC 4 .Os .Sh NAME
CVS commit: src/dist/pf/share/man/man4
Module Name:src Committed By: wiz Date: Mon Sep 14 11:17:49 UTC 2009 Modified Files: src/dist/pf/share/man/man4: pf.4 Log Message: - \*[Lt]\*[Gt]\*[Am] Bump date for pfsync(4) link. To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 src/dist/pf/share/man/man4/pf.4 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/dist/pf/share/man/man4/pf.4 diff -u src/dist/pf/share/man/man4/pf.4:1.10 src/dist/pf/share/man/man4/pf.4:1.11 --- src/dist/pf/share/man/man4/pf.4:1.10 Mon Sep 14 10:36:48 2009 +++ src/dist/pf/share/man/man4/pf.4 Mon Sep 14 11:17:49 2009 @@ -1,4 +1,4 @@ -.\ $NetBSD: pf.4,v 1.10 2009/09/14 10:36:48 degroote Exp $ +.\ $NetBSD: pf.4,v 1.11 2009/09/14 11:17:49 wiz Exp $ .\ $OpenBSD: pf.4,v 1.59 2007/05/31 19:19:51 jmc Exp $ .\ .\ Copyright (C) 2001, Kjell Wooding. All rights reserved. @@ -27,7 +27,7 @@ .\ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\ SUCH DAMAGE. .\ -.Dd May 31, 2007 +.Dd September 14, 2009 .Dt PF 4 .Os .Sh NAME @@ -1065,32 +1065,32 @@ .Dv DIOCNATLOOK command to find the internal host/port of a NATed connection: .Bd -literal -#include sys/types.h -#include sys/socket.h -#include sys/ioctl.h -#include sys/fcntl.h -#include net/if.h -#include netinet/in.h -#include net/pfvar.h -#include err.h -#include stdio.h -#include stdlib.h +#include \*[Lt]sys/types.h\*[Gt] +#include \*[Lt]sys/socket.h\*[Gt] +#include \*[Lt]sys/ioctl.h\*[Gt] +#include \*[Lt]sys/fcntl.h\*[Gt] +#include \*[Lt]net/if.h\*[Gt] +#include \*[Lt]netinet/in.h\*[Gt] +#include \*[Lt]net/pfvar.h\*[Gt] +#include \*[Lt]err.h\*[Gt] +#include \*[Lt]stdio.h\*[Gt] +#include \*[Lt]stdlib.h\*[Gt] u_int32_t read_address(const char *s) { int a, b, c, d; - sscanf(s, %i.%i.%i.%i, a, b, c, d); - return htonl(a 24 | b 16 | c 8 | d); + sscanf(s, %i.%i.%i.%i, \*[Am]a, \*[Am]b, \*[Am]c, \*[Am]d); + return htonl(a \*[Lt]\*[Lt] 24 | b \*[Lt]\*[Lt] 16 | c \*[Lt]\*[Lt] 8 | d); } void print_address(u_int32_t a) { a = ntohl(a); - printf(%d.%d.%d.%d, a 24 255, a 16 255, - a 8 255, a 255); + printf(%d.%d.%d.%d, a \*[Gt]\*[Gt] 24 \*[Am] 255, a \*[Gt]\*[Gt] 16 \*[Am] 255, + a \*[Gt]\*[Gt] 8 \*[Am] 255, a \*[Am] 255); } int @@ -1100,7 +1100,7 @@ int dev; if (argc != 5) { - printf(%s gwy addr gwy port ext addr ext port\\n, + printf(%s \*[Lt]gwy addr\*[Gt] \*[Lt]gwy port\*[Gt] \*[Lt]ext addr\*[Gt] \*[Lt]ext port\*[Gt]\\n, argv[0]); return 1; } @@ -1109,7 +1109,7 @@ if (dev == -1) err(1, open(\\/dev/pf\\) failed); - memset(nl, 0, sizeof(struct pfioc_natlook)); + memset(\*[Am]nl, 0, sizeof(struct pfioc_natlook)); nl.saddr.v4.s_addr = read_address(argv[1]); nl.sport = htons(atoi(argv[2])); nl.daddr.v4.s_addr = read_address(argv[3]); @@ -1118,7 +1118,7 @@ nl.proto = IPPROTO_TCP; nl.direction = PF_IN; - if (ioctl(dev, DIOCNATLOOK, nl)) + if (ioctl(dev, DIOCNATLOOK, \*[Am]nl)) err(1, DIOCNATLOOK); printf(internal host );
CVS commit: src/dist/pf/share/man/man4
Module Name:src Committed By: degroote Date: Mon Sep 14 11:45:01 UTC 2009 Modified Files: src/dist/pf/share/man/man4: pfsync.4 Log Message: Improve the pfsync(4) man page hostname.if(5) is ifconfig.if(5) on NetBSD Don't speak about enc, as we don't support it at the moment Make clear that we don't support ipsec protection of pfsync traffic (as long we doesn't support enc, or similar thing) Catched by wiz@ To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/dist/pf/share/man/man4/pfsync.4 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/dist/pf/share/man/man4/pfsync.4 diff -u src/dist/pf/share/man/man4/pfsync.4:1.2 src/dist/pf/share/man/man4/pfsync.4:1.3 --- src/dist/pf/share/man/man4/pfsync.4:1.2 Mon Sep 14 11:17:42 2009 +++ src/dist/pf/share/man/man4/pfsync.4 Mon Sep 14 11:45:01 2009 @@ -1,4 +1,4 @@ -.\ $NetBSD: pfsync.4,v 1.2 2009/09/14 11:17:42 wiz Exp $ +.\ $NetBSD: pfsync.4,v 1.3 2009/09/14 11:45:01 degroote Exp $ .\ $OpenBSD: pfsync.4,v 1.25 2007/05/31 19:19:51 jmc Exp $ .\ .\ Copyright (c) 2002 Michael Shalayeff @@ -108,16 +108,16 @@ used is 224.0.0.240. When a peer address is specified using the .Ic syncpeer -keyword, the peer address is used as a destination for the pfsync traffic, -and the traffic can then be protected using -.Xr ipsec 4 . -In such a configuration, the syncdev should be set to the -.Xr enc 4 -interface, as this is where the traffic arrives when it is decapsulated, -e.g.: -.Bd -literal -offset indent -# ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0 -.Ed +keyword, the peer address is used as a destination for the pfsync traffic. +.\and the traffic can then be protected using +.\.Xr ipsec 4 . +.\In such a configuration, the syncdev should be set to the +.\.Xr enc 4 +.\interface, as this is where the traffic arrives when it is decapsulated, +.\e.g.: +.\.Bd -literal -offset indent +.\# ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0 +.\.Ed .Pp It is important that the pfsync traffic be well secured as there is no authentication on the protocol and it would @@ -125,7 +125,9 @@ Either run the pfsync protocol on a trusted network \- ideally a network dedicated to pfsync messages such as a crossover cable between two firewalls, or specify a peer address and protect the traffic with -.Xr ipsec 4 . +.Xr ipsec 4 (it is not supported at the moment on +.Nx +due to the lack of any encapsulation pseudo-device). .Pp There is a one-to-one correspondence between packets seen by .Xr bpf 4 @@ -161,32 +163,32 @@ The interfaces are configured as follows (firewall A unless otherwise indicated): .Pp -.Pa /etc/hostname.sis0 : +.Pa /etc/ifconfig.sis0 : .Bd -literal -offset indent inet 10.0.0.254 255.255.255.0 NONE .Ed .Pp -.Pa /etc/hostname.sis1 : +.Pa /etc/ifconfig.sis1 : .Bd -literal -offset indent inet 192.168.0.254 255.255.255.0 NONE .Ed .Pp -.Pa /etc/hostname.sis2 : +.Pa /etc/ifconfig.sis2 : .Bd -literal -offset indent inet 192.168.254.254 255.255.255.0 NONE .Ed .Pp -.Pa /etc/hostname.carp0 : +.Pa /etc/ifconfig.carp0 : .Bd -literal -offset indent inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 pass foo .Ed .Pp -.Pa /etc/hostname.carp1 : +.Pa /etc/ifconfig.carp1 : .Bd -literal -offset indent inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar .Ed .Pp -.Pa /etc/hostname.pfsync0 : +.Pa /etc/ifconfig.pfsync0 : .Bd -literal -offset indent up syncdev sis2 .Ed @@ -212,7 +214,7 @@ interfaces should be set to something higher than the primary's. For example, if firewall B is the backup, its -.Pa /etc/hostname.carp1 +.Pa /etc/ifconfig.carp1 would look like this: .Bd -literal -offset indent inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar \e @@ -232,9 +234,10 @@ .Xr ipsec 4 , .Xr netintro 4 , .Xr pf 4 , -.Xr hostname.if 5 , +.Xr ifconfig.if 5 , .Xr pf.conf 5 , .Xr protocols 5 , +.\ enc 8, .Xr ifconfig 8 , .Xr tcpdump 8 .Sh HISTORY