xref: /freebsd/share/man/man4/blackhole.4 (revision 849d3459bf257e18ae18f41568b50252ca5b3670) 
1849d3459SGeoff Rehmet.\"
2849d3459SGeoff Rehmet.\" blackhole - drop refused TCP or UDP connects
3849d3459SGeoff Rehmet.\"
4849d3459SGeoff Rehmet.\" Redistribution and use in source and binary forms, with or without
5849d3459SGeoff Rehmet.\" modification, are permitted provided that the following conditions
6849d3459SGeoff Rehmet.\" are met:
7849d3459SGeoff Rehmet.\" 1. Redistributions of source code must retain the above copyright
8849d3459SGeoff Rehmet.\"    notice, this list of conditions and the following disclaimer.
9849d3459SGeoff Rehmet.\" 2. Redistributions in binary form must reproduce the above copyright
10849d3459SGeoff Rehmet.\"    notice, this list of conditions and the following disclaimer in the
11849d3459SGeoff Rehmet.\"    documentation and/or other materials provided with the distribution.
12849d3459SGeoff Rehmet.\"
13849d3459SGeoff Rehmet.\"
14849d3459SGeoff Rehmet.\" $Id: lptcontrol.8,v 1.9 1999/05/28 02:09:46 ghelmer Exp $
15849d3459SGeoff Rehmet.Dd August 17, 1999
16849d3459SGeoff Rehmet.Dt BLACKHOLE 4
17849d3459SGeoff Rehmet.Os FreeBSD
18849d3459SGeoff Rehmet.Sh NAME
19849d3459SGeoff Rehmet.Nm \&blackhole
20849d3459SGeoff Rehmet.Nd a
21849d3459SGeoff Rehmet.Xr sysctl 8
22849d3459SGeoff RehmetMIB for manipulating behaviour in respect of refused TCP or UDP connection
23849d3459SGeoff Rehmetattempts.
24849d3459SGeoff Rehmet.Sh SYNOPSIS
25849d3459SGeoff Rehmet.Nm \&sysctl net.inet.tcp.blackhole
26849d3459SGeoff Rehmet.Nm \&sysctl net.inet.udp.blackhole
27849d3459SGeoff Rehmet.Pp
28849d3459SGeoff Rehmet.Nm \&sysctl -w net.inet.tcp.blackhole=[1 | 0]
29849d3459SGeoff Rehmet.Nm \&sysctl -w net.inet.udp.blackhole=[1 | 0]
30849d3459SGeoff Rehmet.Sh DESCRIPTION
31849d3459SGeoff RehmetThe
32849d3459SGeoff Rehmet.Nm
33849d3459SGeoff Rehmet.Xr sysctl 8
34849d3459SGeoff RehmetMIB is used to control system behaviour when connection requests
35849d3459SGeoff Rehmetare received on TCP or UDP ports where there is no socket listening.
36849d3459SGeoff Rehmet.Pp
37849d3459SGeoff RehmetNormal behaviour, when a TCP SYN segment is received on a port where
38849d3459SGeoff Rehmetthere is no socket accepting connections, is for the system to return
39849d3459SGeoff Rehmeta RST segment, and drop the connection.  The connecting system will
40849d3459SGeoff Rehmetsee this as a "Connection reset by peer".  By turning the TCP black
41849d3459SGeoff Rehmethole MIB on, the incoming SYN segment is merely dropped, and no
42849d3459SGeoff RehmetRST is sent, making the system appear as a blackhole.
43849d3459SGeoff Rehmet.Pp
44849d3459SGeoff RehmetIn the UDP instance, enabling blackhole behaviour turns off the sending
45849d3459SGeoff Rehmetof an ICMP port unreachable message in response to a UDP datagram which
46849d3459SGeoff Rehmetarrives on a port where there is no socket listening.  It must be noted
47849d3459SGeoff Rehmetthat this behaviour will prevent remote systems from running
48849d3459SGeoff Rehmet.Xr traceroute 8
49849d3459SGeoff Rehmetto your system.
50849d3459SGeoff Rehmet.Pp
51849d3459SGeoff RehmetThe blackhole behaviour is useful to slow down anyone who is port scanning
52849d3459SGeoff Rehmetyour system, in order to try and detect vulnerable services on your system.
53849d3459SGeoff RehmetIt could potentially also slow down someone who is attempting a denial
54849d3459SGeoff Rehmetof service against your system.
55849d3459SGeoff Rehmet.Pp
56849d3459SGeoff Rehmet.Sh WARNING
57849d3459SGeoff RehmetThe TCP and UDP blackhole features should not be regarded as a replacement
58849d3459SGeoff Rehmetfor
59849d3459SGeoff Rehmet.Xr ipfw 8
60849d3459SGeoff Rehmetas a tool for firewalling your system.  In order to create a highly
61849d3459SGeoff Rehmetsecure system, you should use
62849d3459SGeoff Rehmet.Xr ipfw 8
63849d3459SGeoff Rehmetto protect your system, and not the blackhole feature.
64849d3459SGeoff Rehmet.Pp
65849d3459SGeoff RehmetThis mechanism is not a substitute for securing your system,
66849d3459SGeoff Rehmetbut should be used together with other security mechanisms.
67849d3459SGeoff Rehmet.Pp
68849d3459SGeoff Rehmet.Sh "SEE ALSO"
69849d3459SGeoff Rehmet.Xr ipfw 8
70849d3459SGeoff Rehmet.Xr sysctl 8
71849d3459SGeoff Rehmet.Xr ip 4
72849d3459SGeoff Rehmet.Xr tcp 4
73849d3459SGeoff Rehmet.Xr udp 4
74849d3459SGeoff Rehmet.Sh AUTHORS
75849d3459SGeoff Rehmet.An Geoffrey M. Rehmet
76849d3459SGeoff Rehmet.Sh HISTORY
77849d3459SGeoff RehmetThe TCP and UDP
78849d3459SGeoff Rehmet.Nm
79849d3459SGeoff RehmetMIBs
80849d3459SGeoff Rehmetfirst appeared in
81849d3459SGeoff Rehmet.Fx 4.0
82