On Mon, May 09, 2022 at 10:08:24PM +0100, Stuart Henderson wrote: > This is helpful, but because it's so surprising that "pass proto icmp" > doesn't pass all icmp traffic, I think it would help to mention it where > "proto icmp" is described too. > > Also, the top of the text about "sloppy" just talks about the sloppy > TCP connection tracker, I think perhaps it would be better to lead > with something that suggests it has multiple functions for different > protocols?
OK bluhm@ > Index: man5/pf.conf.5 > =================================================================== > RCS file: /cvs/src/share/man/man5/pf.conf.5,v > retrieving revision 1.594 > diff -u -p -r1.594 pf.conf.5 > --- man5/pf.conf.5 9 May 2022 20:29:23 -0000 1.594 > +++ man5/pf.conf.5 9 May 2022 21:05:48 -0000 > @@ -594,6 +594,13 @@ or > .Pc > must match. > .Pp > +ICMP responses are not permitted unless they either match an > +existing request, or unless > +.Cm no state > +or > +.Cm keep state (sloppy) > +is specified. > +.Pp > .It Cm label Ar string > Adds a label to the rule, which can be used to identify the rule. > For instance, > @@ -2177,7 +2184,7 @@ States created by this rule are exported > .Xr pflow 4 > interface. > .It Cm sloppy > -Uses a sloppy TCP connection tracker that does not check sequence > +For TCP, uses a sloppy connection tracker that does not check sequence > numbers at all, which makes insertion and ICMP teardown attacks way > easier. > This is intended to be used in situations where one does not see all > @@ -2186,7 +2193,8 @@ It cannot be used with > .Cm modulate state > or > .Cm synproxy state . > -With this option ICMP replies can create states. > +For ICMP, this option allows states to be created from replies, > +not just requests. > .It Ar timeout seconds > Changes the > .Ar timeout
