BLACKHOLE(4)
HOME ||
NAME
SYNOPSIS
DESCRIPTION
WARNING
SEE ALSO
AUTHORS
HISTORY
blackhole -- a sysctl(8) MIB for manipulating behaviour in respect of
refused TCP or UDP connection attempts
sysctl net.inet.tcp.blackhole[=[0 | 1 | 2]]
sysctl net.inet.udp.blackhole[=[0 | 1]]
The blackhole sysctl(8) MIB is used to control system behaviour when con-
nection requests are received on TCP or UDP ports where there is no
socket listening.
Normal behaviour, when a TCP SYN segment is received on a port where
there is no socket accepting connections, is for the system to return a
RST segment, and drop the connection. The connecting system will see
this as a ``Connection refused''. By setting the TCP blackhole MIB to a
numeric value of one, the incoming SYN segment is merely dropped, and no
RST is sent, making the system appear as a blackhole. By setting the MIB
value to two, any segment arriving on a closed port is dropped without
returning a RST. This provides some degree of protection against stealth
port scans.
In the UDP instance, enabling blackhole behaviour turns off the sending
of an ICMP port unreachable message in response to a UDP datagram which
arrives on a port where there is no socket listening. It must be noted
that this behaviour will prevent remote systems from running
traceroute(8) to a system.
The blackhole behaviour is useful to slow down anyone who is port scan-
ning a system, attempting to detect vulnerable services on a system. It
could potentially also slow down someone who is attempting a denial of
service attack.
The TCP and UDP blackhole features should not be regarded as a replace-
ment for ipfw(8) as a tool for firewalling a system. In order to create
a highly secure system, ipfw(8) should be used for protection, not the
blackhole feature.
This mechanism is not a substitute for securing a system. It should be
used together with other security mechanisms.
ip(4), tcp(4), udp(4), ipfw(8), sysctl(8)
Geoffrey M. Rehmet
The TCP and UDP blackhole MIBs first appeared in FreeBSD 4.0.