Skip site navigation (1)Skip section navigation (2)

FreeBSD Man Pages

Man Page or Keyword Search:
Man Architecture
Apropos Keyword Search (all sections) Output format
home | help
BLACKHOLE(4)           FreeBSD Kernel Interfaces Manual           BLACKHOLE(4)

     blackhole - a sysctl(8) MIB for manipulating behaviour in respect of
     refused TCP or UDP connection attempts

     sysctl net.inet.tcp.blackhole[=[0 |
     1 |
     sysctl net.inet.udp.blackhole[=[0 |

     The blackhole sysctl(8) MIB is used to control system behaviour when
     connection requests are received on TCP or UDP ports where there is no
     socket listening.

     Normal behaviour, when a TCP SYN segment is received on a port where
     there is no socket accepting connections, is for the system to return a
     RST segment, and drop the connection.  The connecting system will see
     this as a "Connection reset by peer".  By setting the TCP blackhole MIB
     to a numeric value of one, the incoming SYN segment is merely dropped,
     and no RST is sent, making the system appear as a blackhole.  By setting
     the MIB value to two, any segment arriving on a closed port is dropped
     without returning a RST.  This provides some degree of protection against
     stealth port scans.

     In the UDP instance, enabling blackhole behaviour turns off the sending
     of an ICMP port unreachable message in response to a UDP datagram which
     arrives on a port where there is no socket listening.  It must be noted
     that this behaviour will prevent remote systems from running
     traceroute(8) to a system.

     The blackhole behaviour is useful to slow down anyone who is port
     scanning a system, attempting to detect vulnerable services on a system.
     It could potentially also slow down someone who is attempting a denial of
     service attack.

     The TCP and UDP blackhole features should not be regarded as a
     replacement for ipfw(8) as a tool for firewalling a system.  In order to
     create a highly secure system, ipfw(8) should be used for protection, not
     the blackhole feature.

     This mechanism is not a substitute for securing a system.  It should be
     used together with other security mechanisms.

     ip(4), tcp(4), udp(4), ipfw(8), sysctl(8)

     Geoffrey M. Rehmet

     The TCP and UDP blackhole MIBs first appeared in FreeBSD 4.0.

FreeBSD 11.0-PRERELEASE         August 17, 1999        FreeBSD 11.0-PRERELEASE


Want to link to this manual page? Use this URL:

home | help