xref: /freebsd/share/man/man4/blackhole.4 (revision 76de453c69b339f3162d2d8a660832c9c7baddd5) 
1849d3459SGeoff Rehmet.\"
2849d3459SGeoff Rehmet.\" blackhole - drop refused TCP or UDP connects
3849d3459SGeoff Rehmet.\"
4849d3459SGeoff Rehmet.\" Redistribution and use in source and binary forms, with or without
5849d3459SGeoff Rehmet.\" modification, are permitted provided that the following conditions
6849d3459SGeoff Rehmet.\" are met:
7849d3459SGeoff Rehmet.\" 1. Redistributions of source code must retain the above copyright
8849d3459SGeoff Rehmet.\"    notice, this list of conditions and the following disclaimer.
9849d3459SGeoff Rehmet.\" 2. Redistributions in binary form must reproduce the above copyright
10849d3459SGeoff Rehmet.\"    notice, this list of conditions and the following disclaimer in the
11849d3459SGeoff Rehmet.\"    documentation and/or other materials provided with the distribution.
12849d3459SGeoff Rehmet.\"
13849d3459SGeoff Rehmet.\"
147f3dea24SPeter Wemm.\" $FreeBSD$
1576de453cSDaniel Gerzo.Dd January 1, 2007
16849d3459SGeoff Rehmet.Dt BLACKHOLE 4
173d45e180SRuslan Ermilov.Os
18849d3459SGeoff Rehmet.Sh NAME
198b8f358eSMike Pritchard.Nm blackhole
20849d3459SGeoff Rehmet.Nd a
21849d3459SGeoff Rehmet.Xr sysctl 8
22849d3459SGeoff RehmetMIB for manipulating behaviour in respect of refused TCP or UDP connection
2359322008SRuslan Ermilovattempts
24849d3459SGeoff Rehmet.Sh SYNOPSIS
25235a25a6SDima Dorfman.Cd sysctl net.inet.tcp.blackhole[=[0 | 1 | 2]]
26235a25a6SDima Dorfman.Cd sysctl net.inet.udp.blackhole[=[0 | 1]]
27849d3459SGeoff Rehmet.Sh DESCRIPTION
28849d3459SGeoff RehmetThe
29849d3459SGeoff Rehmet.Nm
30849d3459SGeoff Rehmet.Xr sysctl 8
31849d3459SGeoff RehmetMIB is used to control system behaviour when connection requests
32849d3459SGeoff Rehmetare received on TCP or UDP ports where there is no socket listening.
33849d3459SGeoff Rehmet.Pp
34849d3459SGeoff RehmetNormal behaviour, when a TCP SYN segment is received on a port where
35849d3459SGeoff Rehmetthere is no socket accepting connections, is for the system to return
36b5e7e999SRuslan Ermilova RST segment, and drop the connection.
37b5e7e999SRuslan ErmilovThe connecting system will
38b5e7e999SRuslan Ermilovsee this as a
39b5e7e999SRuslan Ermilov.Dq Connection refused .
40b5e7e999SRuslan ErmilovBy setting the TCP blackhole
41235a25a6SDima DorfmanMIB to a numeric value of one, the incoming SYN segment
4245a033b1SGeoff Rehmetis merely dropped, and no RST is sent, making the system appear
43b5e7e999SRuslan Ermilovas a blackhole.
44b5e7e999SRuslan ErmilovBy setting the MIB value to two, any segment arriving
45b5e7e999SRuslan Ermilovon a closed port is dropped without returning a RST.
46b5e7e999SRuslan ErmilovThis provides some degree of protection against stealth port scans.
47849d3459SGeoff Rehmet.Pp
48849d3459SGeoff RehmetIn the UDP instance, enabling blackhole behaviour turns off the sending
49849d3459SGeoff Rehmetof an ICMP port unreachable message in response to a UDP datagram which
50b5e7e999SRuslan Ermilovarrives on a port where there is no socket listening.
51b5e7e999SRuslan ErmilovIt must be noted that this behaviour will prevent remote systems from running
52849d3459SGeoff Rehmet.Xr traceroute 8
53235a25a6SDima Dorfmanto a system.
54849d3459SGeoff Rehmet.Pp
55849d3459SGeoff RehmetThe blackhole behaviour is useful to slow down anyone who is port scanning
56235a25a6SDima Dorfmana system, attempting to detect vulnerable services on a system.
57849d3459SGeoff RehmetIt could potentially also slow down someone who is attempting a denial
58235a25a6SDima Dorfmanof service attack.
59849d3459SGeoff Rehmet.Sh WARNING
60849d3459SGeoff RehmetThe TCP and UDP blackhole features should not be regarded as a replacement
6176de453cSDaniel Gerzofor firewall solutions.
6276de453cSDaniel GerzoBetter security would consist of the
6376de453cSDaniel Gerzo.Nm
6476de453cSDaniel Gerzo.Xr sysctl 8
6576de453cSDaniel GerzoMIB used in conjuction with one of the available firewall packages.
66849d3459SGeoff Rehmet.Pp
67235a25a6SDima DorfmanThis mechanism is not a substitute for securing a system.
68235a25a6SDima DorfmanIt should be used together with other security mechanisms.
698b8f358eSMike Pritchard.Sh SEE ALSO
708b8f358eSMike Pritchard.Xr ip 4 ,
718b8f358eSMike Pritchard.Xr tcp 4 ,
728b8f358eSMike Pritchard.Xr udp 4 ,
7376de453cSDaniel Gerzo.Xr ipf 8 ,
748b8f358eSMike Pritchard.Xr ipfw 8 ,
7576de453cSDaniel Gerzo.Xr pfctl 8 ,
76849d3459SGeoff Rehmet.Xr sysctl 8
77849d3459SGeoff Rehmet.Sh HISTORY
78849d3459SGeoff RehmetThe TCP and UDP
79849d3459SGeoff Rehmet.Nm
80849d3459SGeoff RehmetMIBs
81849d3459SGeoff Rehmetfirst appeared in
828b8f358eSMike Pritchard.Fx 4.0 .
839cbda590SRuslan Ermilov.Sh AUTHORS
849cbda590SRuslan Ermilov.An Geoffrey M. Rehmet
85