tweak;

ok frantzen@

2 files changed, 49 insertions, 34 deletions

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 85813efe449..dfec303547a 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.269 2003/08/26 18:34:25 dhartmei Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.270 2003/08/28 09:41:22 jmc Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -440,16 +440,16 @@ Load fingerprints of known operating systems from the given filename.
 By default fingerprints of known operating systems are automatically
 loaded from
 .Xr pf.os 5
-in /etc but can be overridden via this option.
+in
+.Pa /etc
+but can be overridden via this option.
 Setting this option may leave a small period of time where the fingerprints
 referenced by the currently active ruleset are inconsistent until the new
 ruleset finishes loading.
 .Pp
 For example:
-.Bd -literal -offset indent
-set fingerprints "/etc/pf.os.devel"
-.Ed
 .Pp
+.Dl set fingerprints \&"/etc/pf.os.devel\&"
 .El
 .Sh TRAFFIC NORMALIZATION
 Traffic normalization is used to sanitize packet content in such
@@ -763,7 +763,6 @@ The
 can get additional parameters with
 .Ar <scheduler> Ns Li (\& Ar <parameters> No ) .
 Parameters are as follows:
-.Pp
 .Bl -tag -width Fl
 .It Ar default
 Packets not matched by another queue are assigned to this one.
@@ -1019,7 +1018,6 @@ evaluated in sequential order, from first to last.
 The last matching rule decides what action is taken.
 .Pp
 The following actions can be used in the filter:
-.Pp
 .Bl -tag -width xxxx
 .It Ar block
 The packet is blocked.
@@ -1151,7 +1149,10 @@ For a list of all the protocol name to number mappings used by
 .Xr pfctl 8 ,
 see the file
 .Em /etc/protocols .
-.It Ar from <source> port <source> os <source> to <dest> port <dest>
+.It Xo
+.Ar from <source> port <source> os <source>
+.Ar to <dest> port <dest>
+.Xc
 This rule applies only to packets with the specified source and destination
 addresses and ports.
 .Pp
@@ -1758,19 +1759,17 @@ and would be OpenBSD for the
 firewall itself.
 The version of the oldest available OpenBSD release on the main ftp site
 would be 2.6 and the fingerprint would be written
-.Bd -literal -offset indent
-"OpenBSD 2.6"
-.Ed
+.Pp
+.Dl \&"OpenBSD 2.6\&"
 .Pp
 The subtype of an operating system is typically used to describe the
 patchlevel if that patch led to changes in the TCP stack behavior.
 In the case of OpenBSD, the only subtype is for a fingerprint that was
 normalized by the
 .Ar no-df
-scrub option and would be specified like
-.Bd -literal -offset indent
-"OpenBSD 3.3 no-df"
-.Ed
+scrub option and would be specified as
+.Pp
+.Dl \&"OpenBSD 3.3 no-df\&"
 .Pp
 Fingerprints for most popular operating systems are provided by
 .Xr pf.os 5 .
@@ -1778,9 +1777,8 @@ Once
 .Xr pf 4
 is running, a complete list of known operating system fingerprints may
 be listed by running:
-.Bd -literal -offset indent
-# pfctl -so
-.Ed
+.Pp
+.Dl # pfctl -so
 .Pp
 Filter rules can enforce policy at any level of operating system specification
 assuming a fingerprint is present.
@@ -2241,7 +2239,7 @@ pass in on $ext_if proto tcp from any to 157.161.48.183 port >= 49152 \e
       flags S/SA keep state
 
 # Do not allow Windows 9x SMTP connections since they are typically
-# a viral worm.  Alternately we could limit these OSes to 1 connection each.
+# a viral worm. Alternately we could limit these OSes to 1 connection each.
 block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \e
       to any port smtp
 
@@ -2457,6 +2455,8 @@ sc-spec        = ( bandwidth-spec |
 Host name database.
 .It Pa /etc/pf.conf
 Default location of the ruleset file.
+.It Pa /etc/pf.os
+Default location of OS fingerprints.
 .It Pa /etc/protocols
 Protocol name database.
 .It Pa /etc/services
@@ -2473,6 +2473,7 @@ Example rulesets.
 .Xr tcp 4 ,
 .Xr udp 4 ,
 .Xr hosts 5 ,
+.Xr pf.os 5 ,
 .Xr protocols 5 ,
 .Xr services 5 ,
 .Xr ftp-proxy 8 ,
diff --git a/share/man/man5/pf.os.5 b/share/man/man5/pf.os.5
index 7de8e739d51..485f69a7323 100644
--- a/share/man/man5/pf.os.5
+++ b/share/man/man5/pf.os.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.os.5,v 1.3 2003/08/22 21:50:34 david Exp $
+.\"	$OpenBSD: pf.os.5,v 1.4 2003/08/28 09:41:23 jmc Exp $
 .\"
 .\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
 .\"
@@ -25,9 +25,9 @@ The
 firewall and the
 .Xr tcpdump 8
 program can both fingerprint the operating system of hosts that
-originate a IPv4 TCP connection.
+originate an IPv4 TCP connection.
 The file consists of newline-separated records, one per fingerprint,
-containing twelve colon
+containing nine colon
 .Pq Ql \&:
 separated fields.
 These fields are as follows:
@@ -59,8 +59,11 @@ field corresponds to the th->th_win field in the TCP header and is the
 source host's advertised TCP window size.
 It may be between zero and 65,535 inclusive.
 The window size may be given as a multiple of a constant by prepending
-the size with a percent sign '%' and the value will be used as a modulus.
+the size with a percent sign
+.Sq %
+and the value will be used as a modulus.
 Three special values may be used for the window size:
+.Pp
 .Bl -tag -width xxx -offset indent -compact
 .It *
 An asterisk will wildcard the value so any window size will match.
@@ -96,11 +99,16 @@ SYN packet.
 Each option is described by a single character separated by a comma and
 certain ones may include a value.
 The options are:
+.Pp
 .Bl -tag -width Description -offset indent -compact
 .It Mnnn
 maximum segment size (MSS) option.
 The value is the maximum packet size of the network link which may
-include the '%' modulus or match all MSSes with the '*' value.
+include the
+.Sq %
+modulus or match all MSSes with the
+.Sq *
+value.
 .It N
 the NOP option (NO Operation).
 .It T[0]
@@ -112,15 +120,18 @@ the Selective ACKnowledgement OK (SACKOK) option.
 .It Wnnn
 window scaling option.
 The value is the size of the window scaling which may include the
-'%' modulus or match all window scalings with the '*' value.
+.Sq %
+modulus or match all window scalings with the
+.Sq *
+value.
 .El
 .Pp
-No TCP options in the fingerprint may be given with a single dot '.'.
+No TCP options in the fingerprint may be given with a single dot
+.Sq \&. .
 .Pp
 An example of OpenBSD's TCP options are:
-.Bd -literal
-	M*,N,N,S,N,W0,N,N,T
-.Ed
+.Pp
+.Dl M*,N,N,S,N,W0,N,N,T
 .Pp
 The first option
 .Ar M*
@@ -166,16 +177,19 @@ patches or tweaking.
 .Pp
 The
 .Ar description
-is is a general description of the operating system, it's version,
+is a general description of the operating system, its version,
 patchlevel and any further useful details.
 .Sh EXAMPLES
-The fingerprint of a plain OpenBSD 3.3 host is:
+The fingerprint of a plain
+.Ox 3.3
+host is:
 .Bd -literal
   16384:64:1:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3::OpenBSD 3.3
 .Ed
 .Pp
-The fingerprint of an OpenBSD 3.3 host behind a PF scrubbing firewall
-with a no-df rule would be:
+The fingerprint of an
+.Ox 3.3
+host behind a PF scrubbing firewall with a no-df rule would be:
 .Bd -literal
   16384:64:0:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3:!df:OpenBSD 3.3 scrub no-df
 .Ed
@@ -222,7 +236,7 @@ three bytes.
 .Pp
 In the above example, the packet size comes out to 44 bytes.
 .Sh SEE ALSO
-.Xr pf.conf 5 ,
 .Xr pf 4 ,
+.Xr pf.conf 5 ,
 .Xr pfctl 8 ,
 .Xr tcpdump 8