xref: /dflybsd-src/share/man/man4/blackhole.4 (revision 86d7f5d305c6adaa56ff4582ece9859d73106103) 
186d7f5d3SJohn Marino.\"
286d7f5d3SJohn Marino.\" blackhole - drop refused TCP or UDP connects
386d7f5d3SJohn Marino.\"
486d7f5d3SJohn Marino.\" Redistribution and use in source and binary forms, with or without
586d7f5d3SJohn Marino.\" modification, are permitted provided that the following conditions
686d7f5d3SJohn Marino.\" are met:
786d7f5d3SJohn Marino.\" 1. Redistributions of source code must retain the above copyright
886d7f5d3SJohn Marino.\"    notice, this list of conditions and the following disclaimer.
986d7f5d3SJohn Marino.\" 2. Redistributions in binary form must reproduce the above copyright
1086d7f5d3SJohn Marino.\"    notice, this list of conditions and the following disclaimer in the
1186d7f5d3SJohn Marino.\"    documentation and/or other materials provided with the distribution.
1286d7f5d3SJohn Marino.\"
1386d7f5d3SJohn Marino.\"
1486d7f5d3SJohn Marino.\" $FreeBSD: src/share/man/man4/blackhole.4,v 1.4.2.4 2001/12/17 11:30:11 ru Exp $
1586d7f5d3SJohn Marino.\" $DragonFly: src/share/man/man4/blackhole.4,v 1.3 2006/02/17 19:37:09 swildner Exp $
1686d7f5d3SJohn Marino.Dd August 17, 1999
1786d7f5d3SJohn Marino.Dt BLACKHOLE 4
1886d7f5d3SJohn Marino.Os
1986d7f5d3SJohn Marino.Sh NAME
2086d7f5d3SJohn Marino.Nm blackhole
2186d7f5d3SJohn Marino.Nd a
2286d7f5d3SJohn Marino.Xr sysctl 8
2386d7f5d3SJohn MarinoMIB for manipulating behaviour in respect of refused TCP or UDP connection
2486d7f5d3SJohn Marinoattempts
2586d7f5d3SJohn Marino.Sh SYNOPSIS
2686d7f5d3SJohn Marino.Cd sysctl net.inet.tcp.blackhole[=[0 | 1 | 2]]
2786d7f5d3SJohn Marino.Cd sysctl net.inet.udp.blackhole[=[0 | 1]]
2886d7f5d3SJohn Marino.Sh DESCRIPTION
2986d7f5d3SJohn MarinoThe
3086d7f5d3SJohn Marino.Nm
3186d7f5d3SJohn Marino.Xr sysctl 8
3286d7f5d3SJohn MarinoMIB is used to control system behaviour when connection requests
3386d7f5d3SJohn Marinoare received on TCP or UDP ports where there is no socket listening.
3486d7f5d3SJohn Marino.Pp
3586d7f5d3SJohn MarinoNormal behaviour, when a TCP SYN segment is received on a port where
3686d7f5d3SJohn Marinothere is no socket accepting connections, is for the system to return
3786d7f5d3SJohn Marinoa RST segment, and drop the connection.  The connecting system will
3886d7f5d3SJohn Marinosee this as a "Connection reset by peer".  By setting the TCP blackhole
3986d7f5d3SJohn MarinoMIB to a numeric value of one, the incoming SYN segment
4086d7f5d3SJohn Marinois merely dropped, and no RST is sent, making the system appear
4186d7f5d3SJohn Marinoas a blackhole.  By setting the MIB value to two, any segment arriving
4286d7f5d3SJohn Marinoon a closed port is dropped without returning a RST.  This provides
4386d7f5d3SJohn Marinosome degree of protection against stealth port scans.
4486d7f5d3SJohn Marino.Pp
4586d7f5d3SJohn MarinoIn the UDP instance, enabling blackhole behaviour turns off the sending
4686d7f5d3SJohn Marinoof an ICMP port unreachable message in response to a UDP datagram which
4786d7f5d3SJohn Marinoarrives on a port where there is no socket listening.  It must be noted
4886d7f5d3SJohn Marinothat this behaviour will prevent remote systems from running
4986d7f5d3SJohn Marino.Xr traceroute 8
5086d7f5d3SJohn Marinoto a system.
5186d7f5d3SJohn Marino.Pp
5286d7f5d3SJohn MarinoThe blackhole behaviour is useful to slow down anyone who is port scanning
5386d7f5d3SJohn Marinoa system, attempting to detect vulnerable services on a system.
5486d7f5d3SJohn MarinoIt could potentially also slow down someone who is attempting a denial
5586d7f5d3SJohn Marinoof service attack.
5686d7f5d3SJohn Marino.Sh WARNING
5786d7f5d3SJohn MarinoThe TCP and UDP blackhole features should not be regarded as a replacement
5886d7f5d3SJohn Marinofor
5986d7f5d3SJohn Marino.Xr ipfw 8
6086d7f5d3SJohn Marinoas a tool for firewalling a system.  In order to create a highly
6186d7f5d3SJohn Marinosecure system,
6286d7f5d3SJohn Marino.Xr ipfw 8
6386d7f5d3SJohn Marinoshould be used for protection, not the blackhole feature.
6486d7f5d3SJohn Marino.Pp
6586d7f5d3SJohn MarinoThis mechanism is not a substitute for securing a system.
6686d7f5d3SJohn MarinoIt should be used together with other security mechanisms.
6786d7f5d3SJohn Marino.Sh SEE ALSO
6886d7f5d3SJohn Marino.Xr ip 4 ,
6986d7f5d3SJohn Marino.Xr tcp 4 ,
7086d7f5d3SJohn Marino.Xr udp 4 ,
7186d7f5d3SJohn Marino.Xr ipfw 8 ,
7286d7f5d3SJohn Marino.Xr sysctl 8
7386d7f5d3SJohn Marino.Sh HISTORY
7486d7f5d3SJohn MarinoThe TCP and UDP
7586d7f5d3SJohn Marino.Nm
7686d7f5d3SJohn MarinoMIBs
7786d7f5d3SJohn Marinofirst appeared in
7886d7f5d3SJohn Marino.Fx 4.0 .
7986d7f5d3SJohn Marino.Sh AUTHORS
8086d7f5d3SJohn Marino.An Geoffrey M. Rehmet
81