FreeBSD Bugzilla – Attachment 16862 Details for
Bug 30772
blackhole(4) manpage updates
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
file.diff
file.diff (text/plain), 3.14 KB, created by
Peter Avalos
on 2001-09-23 22:50:02 UTC
(
hide
)
Description:
file.diff
Filename:
MIME Type:
Creator:
Peter Avalos
Created:
2001-09-23 22:50:02 UTC
Size:
3.14 KB
patch
obsolete
>--- blackhole.4 Tue Aug 14 04:58:07 2001 >+++ blackhole.4.new Sun Sep 23 14:37:51 2001 >@@ -19,53 +19,50 @@ > .Nm blackhole > .Nd a > .Xr sysctl 8 >-MIB for manipulating behaviour in respect of refused TCP or UDP connection >+MIB for manipulating behavior in respect of refused TCP or UDP connection > attempts > .Sh SYNOPSIS >-.Cd sysctl net.inet.tcp.blackhole >-.Cd sysctl net.inet.udp.blackhole >-.Pp >-.Cd sysctl -w net.inet.tcp.blackhole=[0 | 1 | 2] >-.Cd sysctl -w net.inet.udp.blackhole=[0 | 1] >+.Cd sysctl net.inet.tcp.blackhole=[0 | 1 | 2] >+.Cd sysctl net.inet.udp.blackhole=[0 | 1] > .Sh DESCRIPTION > The > .Nm > .Xr sysctl 8 >-MIB is used to control system behaviour when connection requests >+MIB is used to control system behavior when connection requests > are received on TCP or UDP ports where there is no socket listening. > .Pp >-Normal behaviour, when a TCP SYN segment is received on a port where >+Normal behavior, when a TCP SYN segment is received on a port where > there is no socket accepting connections, is for the system to return > a RST segment, and drop the connection. The connecting system will >-see this as a "Connection reset by peer". By turning the TCP black >-hole MIB on to a numeric value of one, the incoming SYN segment >+see this as a "Connection reset by peer". By setting the TCP blackhole >+MIB to a numeric value of one, the incoming SYN segment > is merely dropped, and no RST is sent, making the system appear > as a blackhole. By setting the MIB value to two, any segment arriving > on a closed port is dropped without returning a RST. This provides > some degree of protection against stealth port scans. > .Pp >-In the UDP instance, enabling blackhole behaviour turns off the sending >+In the UDP instance, enabling blackhole behavior turns off the sending > of an ICMP port unreachable message in response to a UDP datagram which > arrives on a port where there is no socket listening. It must be noted >-that this behaviour will prevent remote systems from running >+that this behavior will prevent remote systems from running > .Xr traceroute 8 >-to your system. >+to a system. > .Pp >-The blackhole behaviour is useful to slow down anyone who is port scanning >-your system, in order to try and detect vulnerable services on your system. >+The blackhole behavior is useful to slow down anyone who is port scanning >+a system, attempting to detect vulnerable services on a system. > It could potentially also slow down someone who is attempting a denial >-of service against your system. >+of service attack. > .Sh WARNING > The TCP and UDP blackhole features should not be regarded as a replacement > for > .Xr ipfw 8 >-as a tool for firewalling your system. In order to create a highly >-secure system, you should use >+as a tool for firewalling a system. In order to create a highly >+secure system, > .Xr ipfw 8 >-to protect your system, and not the blackhole feature. >+should be used for protection, not the blackhole feature. > .Pp >-This mechanism is not a substitute for securing your system, >-but should be used together with other security mechanisms. >+This mechanism is not a substitute for securing a system. >+It should be used together with other security mechanisms. > .Sh SEE ALSO > .Xr ip 4 , > .Xr tcp 4 ,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16862">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 30772
: 16862