aboutsummaryrefslogtreecommitdiff
path: root/share/man/man4/blackhole.4
diff options
context:
space:
mode:
Diffstat (limited to 'share/man/man4/blackhole.4')
-rw-r--r--share/man/man4/blackhole.484
1 files changed, 84 insertions, 0 deletions
diff --git a/share/man/man4/blackhole.4 b/share/man/man4/blackhole.4
new file mode 100644
index 000000000000..2005aabb31bd
--- /dev/null
+++ b/share/man/man4/blackhole.4
@@ -0,0 +1,84 @@
+.\"
+.\" blackhole - drop refused TCP or UDP connects
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\"
+.\" $FreeBSD$
+.Dd January 1, 2007
+.Dt BLACKHOLE 4
+.Os
+.Sh NAME
+.Nm blackhole
+.Nd a
+.Xr sysctl 8
+MIB for manipulating behaviour in respect of refused TCP or UDP connection
+attempts
+.Sh SYNOPSIS
+.Cd sysctl net.inet.tcp.blackhole[=[0 | 1 | 2]]
+.Cd sysctl net.inet.udp.blackhole[=[0 | 1]]
+.Sh DESCRIPTION
+The
+.Nm
+.Xr sysctl 8
+MIB is used to control system behaviour when connection requests
+are received on TCP or UDP ports where there is no socket listening.
+.Pp
+Normal behaviour, when a TCP SYN segment is received on a port where
+there is no socket accepting connections, is for the system to return
+a RST segment, and drop the connection.
+The connecting system will
+see this as a
+.Dq Connection refused .
+By setting the TCP blackhole
+MIB to a numeric value of one, the incoming SYN segment
+is merely dropped, and no RST is sent, making the system appear
+as a blackhole.
+By setting the MIB value to two, any segment arriving
+on a closed port is dropped without returning a RST.
+This provides some degree of protection against stealth port scans.
+.Pp
+In the UDP instance, enabling blackhole behaviour turns off the sending
+of an ICMP port unreachable message in response to a UDP datagram which
+arrives on a port where there is no socket listening.
+It must be noted that this behaviour will prevent remote systems from running
+.Xr traceroute 8
+to a system.
+.Pp
+The blackhole behaviour is useful to slow down anyone who is port scanning
+a system, attempting to detect vulnerable services on a system.
+It could potentially also slow down someone who is attempting a denial
+of service attack.
+.Sh WARNING
+The TCP and UDP blackhole features should not be regarded as a replacement
+for firewall solutions.
+Better security would consist of the
+.Nm
+.Xr sysctl 8
+MIB used in conjuction with one of the available firewall packages.
+.Pp
+This mechanism is not a substitute for securing a system.
+It should be used together with other security mechanisms.
+.Sh SEE ALSO
+.Xr ip 4 ,
+.Xr tcp 4 ,
+.Xr udp 4 ,
+.Xr ipf 8 ,
+.Xr ipfw 8 ,
+.Xr pfctl 8 ,
+.Xr sysctl 8
+.Sh HISTORY
+The TCP and UDP
+.Nm
+MIBs
+first appeared in
+.Fx 4.0 .
+.Sh AUTHORS
+.An Geoffrey M. Rehmet
generated by cgit v1.2.3 (git 2.25.1) at 2025-03-17 23:25:34 +0000