|
Lines 19-71
Link Here
|
| 19 |
.Nm blackhole |
19 |
.Nm blackhole |
| 20 |
.Nd a |
20 |
.Nd a |
| 21 |
.Xr sysctl 8 |
21 |
.Xr sysctl 8 |
| 22 |
MIB for manipulating behaviour in respect of refused TCP or UDP connection |
22 |
MIB for manipulating behavior in respect of refused TCP or UDP connection |
| 23 |
attempts |
23 |
attempts |
| 24 |
.Sh SYNOPSIS |
24 |
.Sh SYNOPSIS |
| 25 |
.Cd sysctl net.inet.tcp.blackhole |
25 |
.Cd sysctl net.inet.tcp.blackhole=[0 | 1 | 2] |
| 26 |
.Cd sysctl net.inet.udp.blackhole |
26 |
.Cd sysctl net.inet.udp.blackhole=[0 | 1] |
| 27 |
.Pp |
|
|
| 28 |
.Cd sysctl -w net.inet.tcp.blackhole=[0 | 1 | 2] |
| 29 |
.Cd sysctl -w net.inet.udp.blackhole=[0 | 1] |
| 30 |
.Sh DESCRIPTION |
27 |
.Sh DESCRIPTION |
| 31 |
The |
28 |
The |
| 32 |
.Nm |
29 |
.Nm |
| 33 |
.Xr sysctl 8 |
30 |
.Xr sysctl 8 |
| 34 |
MIB is used to control system behaviour when connection requests |
31 |
MIB is used to control system behavior when connection requests |
| 35 |
are received on TCP or UDP ports where there is no socket listening. |
32 |
are received on TCP or UDP ports where there is no socket listening. |
| 36 |
.Pp |
33 |
.Pp |
| 37 |
Normal behaviour, when a TCP SYN segment is received on a port where |
34 |
Normal behavior, when a TCP SYN segment is received on a port where |
| 38 |
there is no socket accepting connections, is for the system to return |
35 |
there is no socket accepting connections, is for the system to return |
| 39 |
a RST segment, and drop the connection. The connecting system will |
36 |
a RST segment, and drop the connection. The connecting system will |
| 40 |
see this as a "Connection reset by peer". By turning the TCP black |
37 |
see this as a "Connection reset by peer". By setting the TCP blackhole |
| 41 |
hole MIB on to a numeric value of one, the incoming SYN segment |
38 |
MIB to a numeric value of one, the incoming SYN segment |
| 42 |
is merely dropped, and no RST is sent, making the system appear |
39 |
is merely dropped, and no RST is sent, making the system appear |
| 43 |
as a blackhole. By setting the MIB value to two, any segment arriving |
40 |
as a blackhole. By setting the MIB value to two, any segment arriving |
| 44 |
on a closed port is dropped without returning a RST. This provides |
41 |
on a closed port is dropped without returning a RST. This provides |
| 45 |
some degree of protection against stealth port scans. |
42 |
some degree of protection against stealth port scans. |
| 46 |
.Pp |
43 |
.Pp |
| 47 |
In the UDP instance, enabling blackhole behaviour turns off the sending |
44 |
In the UDP instance, enabling blackhole behavior turns off the sending |
| 48 |
of an ICMP port unreachable message in response to a UDP datagram which |
45 |
of an ICMP port unreachable message in response to a UDP datagram which |
| 49 |
arrives on a port where there is no socket listening. It must be noted |
46 |
arrives on a port where there is no socket listening. It must be noted |
| 50 |
that this behaviour will prevent remote systems from running |
47 |
that this behavior will prevent remote systems from running |
| 51 |
.Xr traceroute 8 |
48 |
.Xr traceroute 8 |
| 52 |
to your system. |
49 |
to a system. |
| 53 |
.Pp |
50 |
.Pp |
| 54 |
The blackhole behaviour is useful to slow down anyone who is port scanning |
51 |
The blackhole behavior is useful to slow down anyone who is port scanning |
| 55 |
your system, in order to try and detect vulnerable services on your system. |
52 |
a system, attempting to detect vulnerable services on a system. |
| 56 |
It could potentially also slow down someone who is attempting a denial |
53 |
It could potentially also slow down someone who is attempting a denial |
| 57 |
of service against your system. |
54 |
of service attack. |
| 58 |
.Sh WARNING |
55 |
.Sh WARNING |
| 59 |
The TCP and UDP blackhole features should not be regarded as a replacement |
56 |
The TCP and UDP blackhole features should not be regarded as a replacement |
| 60 |
for |
57 |
for |
| 61 |
.Xr ipfw 8 |
58 |
.Xr ipfw 8 |
| 62 |
as a tool for firewalling your system. In order to create a highly |
59 |
as a tool for firewalling a system. In order to create a highly |
| 63 |
secure system, you should use |
60 |
secure system, |
| 64 |
.Xr ipfw 8 |
61 |
.Xr ipfw 8 |
| 65 |
to protect your system, and not the blackhole feature. |
62 |
should be used for protection, not the blackhole feature. |
| 66 |
.Pp |
63 |
.Pp |
| 67 |
This mechanism is not a substitute for securing your system, |
64 |
This mechanism is not a substitute for securing a system. |
| 68 |
but should be used together with other security mechanisms. |
65 |
It should be used together with other security mechanisms. |
| 69 |
.Sh SEE ALSO |
66 |
.Sh SEE ALSO |
| 70 |
.Xr ip 4 , |
67 |
.Xr ip 4 , |
| 71 |
.Xr tcp 4 , |
68 |
.Xr tcp 4 , |