xref: /freebsd/share/man/man4/blackhole.4 (revision 59322008fb4ecba98fa740a78cdcd70f308ad37e) 
1849d3459SGeoff Rehmet.\"
2849d3459SGeoff Rehmet.\" blackhole - drop refused TCP or UDP connects
3849d3459SGeoff Rehmet.\"
4849d3459SGeoff Rehmet.\" Redistribution and use in source and binary forms, with or without
5849d3459SGeoff Rehmet.\" modification, are permitted provided that the following conditions
6849d3459SGeoff Rehmet.\" are met:
7849d3459SGeoff Rehmet.\" 1. Redistributions of source code must retain the above copyright
8849d3459SGeoff Rehmet.\"    notice, this list of conditions and the following disclaimer.
9849d3459SGeoff Rehmet.\" 2. Redistributions in binary form must reproduce the above copyright
10849d3459SGeoff Rehmet.\"    notice, this list of conditions and the following disclaimer in the
11849d3459SGeoff Rehmet.\"    documentation and/or other materials provided with the distribution.
12849d3459SGeoff Rehmet.\"
13849d3459SGeoff Rehmet.\"
147f3dea24SPeter Wemm.\" $FreeBSD$
15849d3459SGeoff Rehmet.Dd August 17, 1999
16849d3459SGeoff Rehmet.Dt BLACKHOLE 4
173d45e180SRuslan Ermilov.Os
18849d3459SGeoff Rehmet.Sh NAME
198b8f358eSMike Pritchard.Nm blackhole
20849d3459SGeoff Rehmet.Nd a
21849d3459SGeoff Rehmet.Xr sysctl 8
22849d3459SGeoff RehmetMIB for manipulating behaviour in respect of refused TCP or UDP connection
2359322008SRuslan Ermilovattempts
24849d3459SGeoff Rehmet.Sh SYNOPSIS
258b8f358eSMike Pritchard.Cd sysctl net.inet.tcp.blackhole
268b8f358eSMike Pritchard.Cd sysctl net.inet.udp.blackhole
27849d3459SGeoff Rehmet.Pp
288b8f358eSMike Pritchard.Cd sysctl -w net.inet.tcp.blackhole=[0 | 1 | 2]
298b8f358eSMike Pritchard.Cd sysctl -w net.inet.udp.blackhole=[0 | 1]
30849d3459SGeoff Rehmet.Sh DESCRIPTION
31849d3459SGeoff RehmetThe
32849d3459SGeoff Rehmet.Nm
33849d3459SGeoff Rehmet.Xr sysctl 8
34849d3459SGeoff RehmetMIB is used to control system behaviour when connection requests
35849d3459SGeoff Rehmetare received on TCP or UDP ports where there is no socket listening.
36849d3459SGeoff Rehmet.Pp
37849d3459SGeoff RehmetNormal behaviour, when a TCP SYN segment is received on a port where
38849d3459SGeoff Rehmetthere is no socket accepting connections, is for the system to return
39849d3459SGeoff Rehmeta RST segment, and drop the connection.  The connecting system will
40849d3459SGeoff Rehmetsee this as a "Connection reset by peer".  By turning the TCP black
4145a033b1SGeoff Rehmethole MIB on to a numeric value of one, the incoming SYN segment
4245a033b1SGeoff Rehmetis merely dropped, and no RST is sent, making the system appear
4345a033b1SGeoff Rehmetas a blackhole.  By setting the MIB value to two, any segment arriving
4445a033b1SGeoff Rehmeton a closed port is dropped without returning a RST.  This provides
4545a033b1SGeoff Rehmetsome degree of protection against stealth port scans.
46849d3459SGeoff Rehmet.Pp
47849d3459SGeoff RehmetIn the UDP instance, enabling blackhole behaviour turns off the sending
48849d3459SGeoff Rehmetof an ICMP port unreachable message in response to a UDP datagram which
49849d3459SGeoff Rehmetarrives on a port where there is no socket listening.  It must be noted
50849d3459SGeoff Rehmetthat this behaviour will prevent remote systems from running
51849d3459SGeoff Rehmet.Xr traceroute 8
52849d3459SGeoff Rehmetto your system.
53849d3459SGeoff Rehmet.Pp
54849d3459SGeoff RehmetThe blackhole behaviour is useful to slow down anyone who is port scanning
55849d3459SGeoff Rehmetyour system, in order to try and detect vulnerable services on your system.
56849d3459SGeoff RehmetIt could potentially also slow down someone who is attempting a denial
57849d3459SGeoff Rehmetof service against your system.
58849d3459SGeoff Rehmet.Sh WARNING
59849d3459SGeoff RehmetThe TCP and UDP blackhole features should not be regarded as a replacement
60849d3459SGeoff Rehmetfor
61849d3459SGeoff Rehmet.Xr ipfw 8
62849d3459SGeoff Rehmetas a tool for firewalling your system.  In order to create a highly
63849d3459SGeoff Rehmetsecure system, you should use
64849d3459SGeoff Rehmet.Xr ipfw 8
65849d3459SGeoff Rehmetto protect your system, and not the blackhole feature.
66849d3459SGeoff Rehmet.Pp
67849d3459SGeoff RehmetThis mechanism is not a substitute for securing your system,
68849d3459SGeoff Rehmetbut should be used together with other security mechanisms.
698b8f358eSMike Pritchard.Sh SEE ALSO
708b8f358eSMike Pritchard.Xr ip 4 ,
718b8f358eSMike Pritchard.Xr tcp 4 ,
728b8f358eSMike Pritchard.Xr udp 4 ,
738b8f358eSMike Pritchard.Xr ipfw 8 ,
74849d3459SGeoff Rehmet.Xr sysctl 8
75849d3459SGeoff Rehmet.Sh AUTHORS
76849d3459SGeoff Rehmet.An Geoffrey M. Rehmet
77849d3459SGeoff Rehmet.Sh HISTORY
78849d3459SGeoff RehmetThe TCP and UDP
79849d3459SGeoff Rehmet.Nm
80849d3459SGeoff RehmetMIBs
81849d3459SGeoff Rehmetfirst appeared in
828b8f358eSMike Pritchard.Fx 4.0 .
83