manpages: remove diff markers from CHAOS,TARIPT

extensions/libxt_CHAOS.man

@@ -1,18 +1,18 @@
-+Causes confusion on the other end by doing odd things with incoming packets.
+Causes confusion on the other end by doing odd things with incoming packets.
-+CHAOS will randomly reply (or not) with one of its configurable subtargets:
+CHAOS will randomly reply (or not) with one of its configurable subtargets:
-+.TP
+.TP
-+\fB--delude\fR
+\fB--delude\fP
-+Use the REJECT and DELUDE targets as a base to do a sudden or deferred
+Use the REJECT and DELUDE targets as a base to do a sudden or deferred
-+connection reset, fooling some network scanners to return non-deterministic
+connection reset, fooling some network scanners to return non-deterministic
-+(randomly open/closed) results, and in case it is deemed open, it is actually
+(randomly open/closed) results, and in case it is deemed open, it is actually
-+closed/filtered.
+closed/filtered.
-+.TP
+.TP
-+\fB--tarpit\fR
+\fB--tarpit\fP
-+Use the REJECT and TARPIT target as a base to hold the connection until it
+Use the REJECT and TARPIT target as a base to hold the connection until it
-+times out. This consumes conntrack entries when connection tracking is loaded
+times out. This consumes conntrack entries when connection tracking is loaded
-+(which usually is on most machines), and routers inbetween you and the Internet
+(which usually is on most machines), and routers inbetween you and the Internet
-+may fail to do their connection tracking if they have to handle more
+may fail to do their connection tracking if they have to handle more
-+connections than they can.
+connections than they can.
-+.PP
+.PP
-+The randomness factor of not replying vs. replying can be set during load-time
+The randomness factor of not replying vs. replying can be set during load-time
-+of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters.
+of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters.

extensions/libxt_TARPIT.man

@@ -1,33 +1,33 @@
-+Captures and holds incoming TCP connections using no local per-connection
+Captures and holds incoming TCP connections using no local per-connection
-+resources. Connections are accepted, but immediately switched to the persist
+resources. Connections are accepted, but immediately switched to the persist
-+state (0 byte window), in which the remote side stops sending data and asks to
+state (0 byte window), in which the remote side stops sending data and asks to
-+continue every 60-240 seconds. Attempts to close the connection are ignored,
+continue every 60-240 seconds. Attempts to close the connection are ignored,
-+forcing the remote side to time out the connection in 12-24 minutes.
+forcing the remote side to time out the connection in 12-24 minutes.
-+
+
-+This offers similar functionality to LaBrea
+This offers similar functionality to LaBrea
-+<http://www.hackbusters.net/LaBrea/> but does not require dedicated hardware or
+<http://www.hackbusters.net/LaBrea/> but does not require dedicated hardware or
-+IPs. Any TCP port that you would normally DROP or REJECT can instead become a
+IPs. Any TCP port that you would normally DROP or REJECT can instead become a
-+tarpit.
+tarpit.
-+
+
-+To tarpit connections to TCP port 80 destined for the current machine:
+To tarpit connections to TCP port 80 destined for the current machine:
-+.IP
+.IP
-+-A INPUT -p tcp -m tcp --dport 80 -j TARPIT
+-A INPUT -p tcp -m tcp --dport 80 -j TARPIT
-+.P
+.P
-+To significantly slow down Code Red/Nimda-style scans of unused address space,
+To significantly slow down Code Red/Nimda-style scans of unused address space,
-+forward unused ip addresses to a Linux box not acting as a router (e.g. "ip
+forward unused ip addresses to a Linux box not acting as a router (e.g. "ip
-+route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP forwarding on
+route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP forwarding on
-+the Linux box, and add:
+the Linux box, and add:
-+.IP
+.IP
-+-A FORWARD -p tcp -j TARPIT
+-A FORWARD -p tcp -j TARPIT
-+.IP
+.IP
-+-A FORWARD -j DROP
+-A FORWARD -j DROP
-+.TP
+.TP
-+NOTE:
+NOTE:
-+If you use the conntrack module while you are using TARPIT, you should also use
+If you use the conntrack module while you are using TARPIT, you should also use
-+the NOTRACK target, or the kernel will unnecessarily allocate resources for
+the NOTRACK target, or the kernel will unnecessarily allocate resources for
-+each TARPITted connection. To TARPIT incoming connections to the standard IRC
+each TARPITted connection. To TARPIT incoming connections to the standard IRC
-+port while using conntrack, you could:
+port while using conntrack, you could:
-+.IP
+.IP
-+-t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
+-t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
-+.IP
+.IP
-+-A INPUT -p tcp --dport 6667 -j TARPIT
+-A INPUT -p tcp --dport 6667 -j TARPIT