Provided by: freebsd-manpages_10.1~RC1-1_all bug


     blackhole — a sysctl(8) MIB for manipulating behaviour in respect of refused TCP or UDP
     connection attempts


     sysctl net.inet.tcp.blackhole[=[0 | 1 | 2]]
     sysctl net.inet.udp.blackhole[=[0 | 1]]


     The blackhole sysctl(8) MIB is used to control system behaviour when connection requests are
     received on TCP or UDP ports where there is no socket listening.

     Normal behaviour, when a TCP SYN segment is received on a port where there is no socket
     accepting connections, is for the system to return a RST segment, and drop the connection.
     The connecting system will see this as a “Connection refused”.  By setting the TCP blackhole
     MIB to a numeric value of one, the incoming SYN segment is merely dropped, and no RST is
     sent, making the system appear as a blackhole.  By setting the MIB value to two, any segment
     arriving on a closed port is dropped without returning a RST.  This provides some degree of
     protection against stealth port scans.

     In the UDP instance, enabling blackhole behaviour turns off the sending of an ICMP port
     unreachable message in response to a UDP datagram which arrives on a port where there is no
     socket listening.  It must be noted that this behaviour will prevent remote systems from
     running traceroute(8) to a system.

     The blackhole behaviour is useful to slow down anyone who is port scanning a system,
     attempting to detect vulnerable services on a system.  It could potentially also slow down
     someone who is attempting a denial of service attack.


     The TCP and UDP blackhole features should not be regarded as a replacement for firewall
     solutions.  Better security would consist of the blackhole sysctl(8) MIB used in conjunction
     with one of the available firewall packages.

     This mechanism is not a substitute for securing a system.  It should be used together with
     other security mechanisms.


     ip(4), tcp(4), udp(4), ipf(8), ipfw(8), pfctl(8), sysctl(8)


     The TCP and UDP blackhole MIBs first appeared in FreeBSD 4.0.


     Geoffrey M. Rehmet