diff options
author | Darren Reed <darrenr@FreeBSD.org> | 2004-06-21 22:47:51 +0000 |
---|---|---|
committer | Darren Reed <darrenr@FreeBSD.org> | 2004-06-21 22:47:51 +0000 |
commit | dfb9a48c6965171c72436fae97fdb25542af491f (patch) | |
tree | 699025ff2d567ed726a446a7ca5c3d916f5ca0a4 /contrib/ipfilter/man | |
parent | 352ec47813304ee7ee9a19078ea485430e0c35a9 (diff) | |
download | src-dfb9a48c6965171c72436fae97fdb25542af491f.tar.gz src-dfb9a48c6965171c72436fae97fdb25542af491f.zip |
Import ipfilter 3.4.35 onto vendor branch
Notes
Notes:
svn path=/vendor/ipfilter/dist/; revision=130887
Diffstat (limited to 'contrib/ipfilter/man')
-rw-r--r-- | contrib/ipfilter/man/ipf.5 | 14 | ||||
-rw-r--r-- | contrib/ipfilter/man/ipf.8 | 2 | ||||
-rw-r--r-- | contrib/ipfilter/man/ipfstat.8 | 4 | ||||
-rw-r--r-- | contrib/ipfilter/man/ipftest.1 | 2 | ||||
-rw-r--r-- | contrib/ipfilter/man/ipl.4 | 2 | ||||
-rw-r--r-- | contrib/ipfilter/man/ipmon.8 | 6 | ||||
-rw-r--r-- | contrib/ipfilter/man/ipnat.5 | 26 |
7 files changed, 29 insertions, 27 deletions
diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5 index 8c7dac043e5c..835d77511d9e 100644 --- a/contrib/ipfilter/man/ipf.5 +++ b/contrib/ipfilter/man/ipf.5 @@ -1,10 +1,10 @@ .TH IPF 5 .SH NAME -ipf, ipf.conf \- IP packet filter rule syntax +ipf, ipf.conf, ipf6.conf \- IP packet filter rule syntax .SH DESCRIPTION .PP A rule file for \fBipf\fP may have any name or even be stdin. As -\fBipfstat\fP produces parseable rules as output when displaying the internal +\fBipfstat\fP produces parsable rules as output when displaying the internal kernel filter lists, it is quite plausible to use its output to feed back into \fBipf\fP. Thus, to remove all filters on input packets, the following could be done: @@ -37,7 +37,7 @@ log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . call = "call" [ "now" ] function-name . skip = "skip" decnumber . dup = "dup-to" interface-name[":"ipaddr] . -froute = "fastroute" | "to" interface-name . +froute = "fastroute" | "to" interface-name[":"ipaddr] . protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . srcdst = "all" | fromto . fromto = "from" [ "!" ] object "to" [ "!" ] object . @@ -116,7 +116,7 @@ below). Filters are installed by default at the end of the kernel's filter lists, prepending the rule with \fB@n\fP will cause it to be inserted as the n'th entry in the current list. This is especially useful when -modifying and testing active filter rulesets. See ipf(1) for more +modifying and testing active filter rulesets. See ipf(8) for more information. .SH ACTIONS .PP @@ -136,7 +136,7 @@ with a rule which is being applied to TCP packets. When using \fBreturn-icmp\fP or \fBreturn-icmp-as-dest\fP, it is possible to specify the actual unreachable `type'. That is, whether it is a network unreachable, port unreachable or even administratively -prohibitied. This is done by enclosing the ICMP code associated with +prohibited. This is done by enclosing the ICMP code associated with it in parenthesis directly following \fBreturn-icmp\fP or \fBreturn-icmp-as-dest\fP as follows: .nf @@ -386,7 +386,7 @@ against, e.g.: .TP .B icmp-type is only effective when used with \fBproto icmp\fP and must NOT be used -in conjuction with \fBflags\fP. There are a number of types, which can be +in conjunction with \fBflags\fP. There are a number of types, which can be referred to by an abbreviation recognised by this language, or the numbers with which they are associated can be used. The most important from a security point of view is the ICMP redirect. @@ -427,7 +427,7 @@ indicates that the rule should be put in group (number n) rather than group 0. .PP When a packet is logged, with either the \fBlog\fP action or option, the headers of the packet are written to the \fBipl\fP packet logging -psuedo-device. Immediately following the \fBlog\fP keyword, the +pseudo-device. Immediately following the \fBlog\fP keyword, the following qualifiers may be used (in order): .TP .B body diff --git a/contrib/ipfilter/man/ipf.8 b/contrib/ipfilter/man/ipf.8 index 8688566583ad..60261d243079 100644 --- a/contrib/ipfilter/man/ipf.8 +++ b/contrib/ipfilter/man/ipf.8 @@ -112,7 +112,7 @@ the current interface status list. .TP .B \-z For each rule in the input file, reset the statistics for it to zero and -display the statistics prior to them being zero'd. +display the statistics prior to them being zeroed. .TP .B \-Z Zero global statistics held in the kernel for filtering only (this doesn't diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8 index f641d5971783..c506a15e6ce3 100644 --- a/contrib/ipfilter/man/ipfstat.8 +++ b/contrib/ipfilter/man/ipfstat.8 @@ -64,7 +64,7 @@ This option is only valid in combination with \fB\-t\fP. Limit the state top display to show only state entries whose destination IP address and port match the addport argument. The addrport specification is of the form ipaddress[,port]. The ipaddress and port should be either numerical or the -string "any" (specifying any ip address resp. any port). If the \fB\-D\fP +string "any" (specifying any IP address resp. any port). If the \fB\-D\fP option is not specified, it defaults to "\fB\-D\fP any,any". .TP .B \-f @@ -140,7 +140,7 @@ kernel. Using the \fB\-t\fP option \fBipfstat\fP will enter the state top mode. In this mode the state table is displayed similar to the way \fBtop\fP displays the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and \fB\-T\fP -commandline options can be used to restrict the state entries that will be +command line options can be used to restrict the state entries that will be shown and to specify the frequency of display updates. .PP In state top mode, the following keys can be used to influence the displayed diff --git a/contrib/ipfilter/man/ipftest.1 b/contrib/ipfilter/man/ipftest.1 index e7cc13a06c11..bbfbc0c2319a 100644 --- a/contrib/ipfilter/man/ipftest.1 +++ b/contrib/ipfilter/man/ipftest.1 @@ -1,6 +1,6 @@ .TH ipftest 1 .SH NAME -ipftest \- test packet filter rules with arbitary input. +ipftest \- test packet filter rules with arbitrary input. .SH SYNOPSIS .B ipftest [ diff --git a/contrib/ipfilter/man/ipl.4 b/contrib/ipfilter/man/ipl.4 index 7c6d46ec5b72..0368f03ba15b 100644 --- a/contrib/ipfilter/man/ipl.4 +++ b/contrib/ipfilter/man/ipl.4 @@ -7,7 +7,7 @@ packet headers of packets you wish to log. If a packet header is to be logged, the entire header is logged (including any IP options \- TCP/UDP options are not included when it calculates header size) or not at all. The packet contents are also logged after the header. If the log reader -is busy or otherwise unable to read log records, upto IPLLOGSIZE (8192 is the +is busy or otherwise unable to read log records, up to IPLLOGSIZE (8192 is the default) bytes of data are stored. .PP Prepending every packet header logged is a structure containing information diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8 index 6a40802d361e..282779752943 100644 --- a/contrib/ipfilter/man/ipmon.8 +++ b/contrib/ipfilter/man/ipmon.8 @@ -82,11 +82,11 @@ are displayed to the same output 'device' (stderr or syslog). .TP .B \-b For rules which log the body of a packet, generate hex output representing -the packet contents afte the headers. +the packet contents after the headers. .TP .B \-D Cause ipmon to turn itself into a daemon. Using subshells or backgrounding -of ipmon is not required to turn it into an orphan so it can run indefinately. +of ipmon is not required to turn it into an orphan so it can run indefinitely. .TP .B "\-f <device>" specify an alternative device/file from which to read the log information @@ -170,3 +170,5 @@ recorded data. .SH SEE ALSO ipl(4), ipf(8), ipfstat(8), ipnat(8) .SH BUGS +.PP +If you find any, please send email to me at darrenr@pobox.com diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5 index fe45464d343e..2bedd0c5f3b4 100644 --- a/contrib/ipfilter/man/ipnat.5 +++ b/contrib/ipfilter/man/ipnat.5 @@ -12,16 +12,16 @@ map ::= mapit ifname fromto "->" dstipmask [ mapport ] mapoptions. mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] mapoptions. redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport rdroptions . -dport ::= "port" portnum [ "-" portnum ] . -ports ::= "ports" numports | "auto" . -rdrport ::= "port" portnum . +dport ::= "port" number [ "-" number ] . +ports ::= "ports" number | "auto" . +rdrport ::= "port" number . mapit ::= "map" | "bimap" . fromto ::= "from" object "to" object . ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . dstipmask ::= ipmask | "range" ip "-" ip . mapport ::= "portmap" tcpudp portspec . mapoptions ::= [ tcpudp ] [ "frag" ] [ age ] [ clamp ] . -rdroptions ::= [ tcpudp ] [ rr ] [ "frag" ] [ age ] [ clamp ] . +rdroptions ::= [ tcpudp | protocol ] [ rr ] [ "frag" ] [ age ] [ clamp ] . object :: = addr [ port-comp | port-range ] . addr :: = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . @@ -31,14 +31,14 @@ port-range :: = "port" port-num range port-num . rr ::= "round-robin" . age ::= "age" decnumber [ "/" decnumber ] . clamp ::= "mssclamp" decnumber . -tcpudp ::= "tcp/udp" | protocol . +tcpudp ::= "tcp/udp" | "tcp" | "udp" . protocol ::= protocol-name | decnumber . -nummask ::= host-name [ "/" decnumber ] . -portspec ::= "auto" | portnumber ":" portnumber . -portnumber ::= number { numbers } . +nummask ::= host-name [ "/" number ] . +portspec ::= "auto" | number ":" number . ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers . +number ::= numbers [ number ] . numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' . .fi .PP @@ -134,9 +134,9 @@ If more refined timeouts are required than those available globally for NAT settings, this allows you to set them for \fBnon-TCP\fP use. .SH TRANSLATION .PP -To the right of the "->" is the address and port specificaton which will be +To the right of the "->" is the address and port specification which will be written into the packet providing it has already successful matched the -prior constraints. The case of redirections (\fBrdr\fP) is the simpliest: +prior constraints. The case of redirections (\fBrdr\fP) is the simplest: the new destination address is that specified in the rule. For \fBmap\fP rules, the destination address will be one for which the tuple combining the new source and destination is known to be unique. If the packet is @@ -187,7 +187,7 @@ automatically, as required. This will not effect the display of rules using "ipnat -l", only the internal application order. .SH EXAMPLES .PP -This section deals with the \fBmap\fP command and it's variations. +This section deals with the \fBmap\fP command and its variations. .PP To change IP#'s used internally from network 10 into an ISP provided 8 bit subnet at 209.1.2.0 through the ppp0 interface, the following would be used: @@ -214,7 +214,7 @@ map ppp0 10.0.0.0/8 -> 209.1.2.0/24 .fi .PP so that all TCP/UDP packets were port mapped and only other protocols, such as -ICMP, only have their IP# changed. In some instaces, it is more appropriate +ICMP, only have their IP# changed. In some instances, it is more appropriate to use the keyword \fBauto\fP in place of an actual range of port numbers if you want to guarantee simultaneous access to all within the given range. However, in the above case, it would default to 1 port per IP address, since @@ -228,7 +228,7 @@ map ppp0 172.192.0.0/16 -> 209.1.2.0/24 portmap tcp/udp auto which would result in each IP address being given a small range of ports to use (252). The problem here is that the \fBmap\fP directive tells the NAT code to use the next address/port pair available for an outgoing connection, -resulting in no easily discernable relation between external addresses/ports +resulting in no easily discernible relation between external addresses/ports and internal ones. This is overcome by using \fBmap-block\fP as follows: .LP .nf |