5ad1e547fd
in FreeBSD. Approved by: trhodes (mentor), keramida (mentor)
85 lines
2.7 KiB
Groff
85 lines
2.7 KiB
Groff
.\"
|
|
.\" blackhole - drop refused TCP or UDP connects
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\"
|
|
.\" $FreeBSD$
|
|
.Dd January 1, 2007
|
|
.Dt BLACKHOLE 4
|
|
.Os
|
|
.Sh NAME
|
|
.Nm blackhole
|
|
.Nd a
|
|
.Xr sysctl 8
|
|
MIB for manipulating behaviour in respect of refused TCP or UDP connection
|
|
attempts
|
|
.Sh SYNOPSIS
|
|
.Cd sysctl net.inet.tcp.blackhole[=[0 | 1 | 2]]
|
|
.Cd sysctl net.inet.udp.blackhole[=[0 | 1]]
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
.Xr sysctl 8
|
|
MIB is used to control system behaviour when connection requests
|
|
are received on TCP or UDP ports where there is no socket listening.
|
|
.Pp
|
|
Normal behaviour, when a TCP SYN segment is received on a port where
|
|
there is no socket accepting connections, is for the system to return
|
|
a RST segment, and drop the connection.
|
|
The connecting system will
|
|
see this as a
|
|
.Dq Connection refused .
|
|
By setting the TCP blackhole
|
|
MIB to a numeric value of one, the incoming SYN segment
|
|
is merely dropped, and no RST is sent, making the system appear
|
|
as a blackhole.
|
|
By setting the MIB value to two, any segment arriving
|
|
on a closed port is dropped without returning a RST.
|
|
This provides some degree of protection against stealth port scans.
|
|
.Pp
|
|
In the UDP instance, enabling blackhole behaviour turns off the sending
|
|
of an ICMP port unreachable message in response to a UDP datagram which
|
|
arrives on a port where there is no socket listening.
|
|
It must be noted that this behaviour will prevent remote systems from running
|
|
.Xr traceroute 8
|
|
to a system.
|
|
.Pp
|
|
The blackhole behaviour is useful to slow down anyone who is port scanning
|
|
a system, attempting to detect vulnerable services on a system.
|
|
It could potentially also slow down someone who is attempting a denial
|
|
of service attack.
|
|
.Sh WARNING
|
|
The TCP and UDP blackhole features should not be regarded as a replacement
|
|
for firewall solutions.
|
|
Better security would consist of the
|
|
.Nm
|
|
.Xr sysctl 8
|
|
MIB used in conjuction with one of the available firewall packages.
|
|
.Pp
|
|
This mechanism is not a substitute for securing a system.
|
|
It should be used together with other security mechanisms.
|
|
.Sh SEE ALSO
|
|
.Xr ip 4 ,
|
|
.Xr tcp 4 ,
|
|
.Xr udp 4 ,
|
|
.Xr ipf 8 ,
|
|
.Xr ipfw 8 ,
|
|
.Xr pfctl 8 ,
|
|
.Xr sysctl 8
|
|
.Sh HISTORY
|
|
The TCP and UDP
|
|
.Nm
|
|
MIBs
|
|
first appeared in
|
|
.Fx 4.0 .
|
|
.Sh AUTHORS
|
|
.An Geoffrey M. Rehmet
|