Little formatting fixes.

[fwd] / fw.1

diff --git a/fw.1 b/fw.1
index 251aa5ab6053ce08c53205d6b5090591d0fd516a..d1f42cd5b18db373d21a95669b4913b2be493aab 100644 (file)
--- a/fw.1
+++ b/fw.1
@@ -1,6 +1,6 @@
 .\" -*-nroff-*-
 .\"
-.\" $Id: fw.1,v 1.16 2003/11/25 14:46:50 mdw Exp $
+.\" $Id: fw.1,v 1.18 2003/11/29 23:03:19 mdw Exp $
 .\"
 .\" Manual page for fw
 .\"
@@ -28,6 +28,12 @@
 .\" ---- Revision history ---------------------------------------------------
 .\" 
 .\" $Log: fw.1,v $
+.\" Revision 1.18  2003/11/29 23:03:19  mdw
+.\" Little formatting fixes.
+.\"
+.\" Revision 1.17  2003/11/29 20:36:07  mdw
+.\" Privileged outgoing connections.
+.\"
 .\" Revision 1.16  2003/11/25 14:46:50  mdw
 .\" Update docco for new options.
 .\"
@@ -1129,6 +1135,36 @@ which means to use whichever address the kernel thinks is most
 convenient.  This option is useful if the destination is doing
 host-based access control and your server is multi-homed.
 .OE
+.OS "Socket options"
+.B socket.inet.dest.priv-port
+.RB [=]
+.BR yes | no
+.OD
+Make a privileged connection (i.e., from a low-numbered port) to the
+target.  This only works if
+.B fw
+was started with root privileges.  However, it still works if
+.B fw
+has
+.I dropped
+privileges after initialization (the
+.B \-s
+option).  Before dropping privileges, 
+.B fw
+forks off a separate process which continues to run with root
+privileges, and on demand passes sockets bound to privileged ports and
+connected to the appropriate peer back to the main program.  The
+privileged child only passes back sockets connected to peer addresses
+named in the configuration; even if the
+.B fw
+process is compromised, it can't make privileged connections to other
+addresses.  Note that because of this privilege separation, it's also
+not possible to reconfigure
+.B fw
+to make privileged connections to different peer addresses later by
+changing configuration files and sending the daemon a
+.BR SIGHUP .
+.OE
 .PP
 The access control rules are examined in the order: local entries first,
 then global ones, each in the order given in the configuration file.
@@ -1191,6 +1227,7 @@ To emulate
 .VS
 from file stdin, null to file null, stdout
 .VE
+.sp -1 \" undo final space
 .
 .\"--------------------------------------------------------------------------
 .SH "SIGNAL HANDLING"
@@ -1233,7 +1270,6 @@ to reload its configuration.  Any existing connections are allowed to
 run their course.  If no such configuration files are available,
 .B fw
 just logs a message about the signal and continues.
-.PP
 .
 .\"--------------------------------------------------------------------------
 .SH "GRAMMAR SUMMARY"
@@ -1555,6 +1591,10 @@ exec
 .RB [ = ]
 .BR any | \c
 .I addr
+.br
+.B socket.inet.dest.priv-port
+.RB [=]
+.BR yes | no
 .PP
 .BR socket.unix.fattr. *
 .