1.\" 2.\" blackhole - drop refused TCP or UDP connects 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.Dd September 24, 2025 14.Dt BLACKHOLE 4 15.Os 16.Sh NAME 17.Nm blackhole 18.Nd quietly drop refused SCTP, TCP, or UDP packets 19.Sh SYNOPSIS 20.Cd sysctl net.inet.sctp.blackhole Ns Op = Ns Brq "0 | 1 | 2" 21.Cd sysctl net.inet.tcp.blackhole Ns Op = Ns Brq "0 | 1 | 2 | 3" 22.Cd sysctl net.inet.tcp.blackhole_local Ns Op = Ns Brq "0 | 1" 23.Cd sysctl net.inet.udp.blackhole Ns Op = Ns Brq "0 | 1" 24.Cd sysctl net.inet.udp.blackhole_local Ns Op = Ns Brq "0 | 1" 25.Sh DESCRIPTION 26The 27.Nm 28.Xr sysctl 8 29MIB is used to control system behaviour when connection requests 30are received on SCTP, TCP, or UDP ports where there is no socket listening 31or unexpected packets are received on listening sockets. 32.Pp 33The blackhole behaviour is useful to slow down an attacker who is port-scanning 34a system in an attempt to detect vulnerable services. 35It might also slow down an attempted denial of service attack. 36.Pp 37The blackhole behaviour is disabled by default. 38If enabled, the locally originated packets would still be responded to, 39unless also 40.Va net.inet.tcp.blackhole_local 41(for TCP) and/or 42.Va net.inet.udp.blackhole_local 43(for UDP) are enforced. 44.Ss SCTP 45Setting the SCTP blackhole MIB to a numeric value of one 46will prevent sending an ABORT packet in response to an incoming INIT. 47A MIB value of two will do the same, but will also prevent sending an ABORT packet 48when unexpected packets are received. 49.Ss TCP 50Normal behaviour, when a TCP SYN segment is received on a port where 51there is no socket accepting connections, is for the system to return 52a RST segment, and drop the incoming SYN segment. 53The connecting system will 54see this as a 55.Dq Connection refused . 56By setting the TCP blackhole 57MIB to a numeric value of one, the incoming SYN segment 58is merely dropped, and no RST is sent, making the system appear 59as a blackhole. 60By setting the MIB value to two, any segment arriving 61on a closed port is dropped without returning a RST. 62Setting the MIB value to three, any segment arriving on a closed port 63or an unexpected segment on a listening port is dropped without sending a 64RST in reply. 65This provides some degree of protection against stealth port scans. 66.Ss UDP 67Enabling blackhole behaviour turns off the sending 68of an ICMP port unreachable message in response to a UDP datagram which 69arrives on a port where there is no socket listening. 70It must be noted that this behaviour will prevent remote systems from running 71.Xr traceroute 8 72to a system. 73.Sh WARNING 74The SCTP, TCP, and UDP blackhole features should not be regarded as a replacement 75for firewall solutions. 76Better security would consist of the 77.Nm 78.Xr sysctl 8 79MIB used in conjunction with one of the available firewall packages. 80.Pp 81This mechanism is not a substitute for securing a system. 82It should be used together with other security mechanisms. 83.Sh SEE ALSO 84.Xr ip 4 , 85.Xr sctp 4 , 86.Xr tcp 4 , 87.Xr udp 4 , 88.Xr ipf 8 , 89.Xr ipfw 8 , 90.Xr pfctl 8 , 91.Xr sysctl 8 92.Sh HISTORY 93The TCP and UDP 94.Nm 95MIBs 96first appeared in 97.Fx 4.0 . 98.Pp 99The SCTP 100.Nm 101MIB first appeared in 102.Fx 9.1 . 103.Sh AUTHORS 104.An Geoffrey M. Rehmet 105