Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

blackhole(4) [freebsd man page]

BLACKHOLE(4)						   BSD Kernel Interfaces Manual 					      BLACKHOLE(4)

NAME

     blackhole -- a sysctl(8) MIB for manipulating behaviour in respect of refused TCP or UDP connection attempts

SYNOPSIS

     sysctl net.inet.tcp.blackhole[=[0 | 1 | 2]]
     sysctl net.inet.udp.blackhole[=[0 | 1]]

DESCRIPTION

     The blackhole sysctl(8) MIB is used to control system behaviour when connection requests are received on TCP or UDP ports where there is no
     socket listening.

     Normal behaviour, when a TCP SYN segment is received on a port where there is no socket accepting connections, is for the system to return a
     RST segment, and drop the connection.  The connecting system will see this as a ``Connection refused''.  By setting the TCP blackhole MIB to
     a numeric value of one, the incoming SYN segment is merely dropped, and no RST is sent, making the system appear as a blackhole.  By setting
     the MIB value to two, any segment arriving on a closed port is dropped without returning a RST.  This provides some degree of protection
     against stealth port scans.

     In the UDP instance, enabling blackhole behaviour turns off the sending of an ICMP port unreachable message in response to a UDP datagram
     which arrives on a port where there is no socket listening.  It must be noted that this behaviour will prevent remote systems from running
     traceroute(8) to a system.

     The blackhole behaviour is useful to slow down anyone who is port scanning a system, attempting to detect vulnerable services on a system.
     It could potentially also slow down someone who is attempting a denial of service attack.

WARNING

     The TCP and UDP blackhole features should not be regarded as a replacement for firewall solutions.  Better security would consist of the
     blackhole sysctl(8) MIB used in conjunction with one of the available firewall packages.

     This mechanism is not a substitute for securing a system.	It should be used together with other security mechanisms.

SEE ALSO

     ip(4), tcp(4), udp(4), ipf(8), ipfw(8), pfctl(8), sysctl(8)

HISTORY

     The TCP and UDP blackhole MIBs first appeared in FreeBSD 4.0.

AUTHORS

     Geoffrey M. Rehmet

BSD
								  January 1, 2007							       BSD

Check Out this Related Man Page

UDP(4)							   BSD Kernel Interfaces Manual 						    UDP(4)

NAME

     udp -- Internet User Datagram Protocol

SYNOPSIS

     #include <sys/types.h>
     #include <sys/socket.h>
     #include <netinet/in.h>

     int
     socket(AF_INET, SOCK_DGRAM, 0);

DESCRIPTION

     UDP is a simple, unreliable datagram protocol which is used to support the SOCK_DGRAM abstraction for the Internet protocol family.  UDP
     sockets are connectionless, and are normally used with the sendto(2) and recvfrom(2) calls, though the connect(2) call may also be used to
     fix the destination for future packets (in which case the recv(2) or read(2) and send(2) or write(2) system calls may be used).

     UDP address formats are identical to those used by TCP.  In particular UDP provides a port identifier in addition to the normal Internet
     address format.  Note that the UDP port space is separate from the TCP port space (i.e., a UDP port may not be ``connected'' to a TCP port).
     In addition broadcast packets may be sent (assuming the underlying network supports this) by using a reserved ``broadcast address''; this
     address is network interface dependent.

     Options at the IP transport level may be used with UDP; see ip(4).

ERRORS

     A socket operation may fail with one of the following errors returned:

     [EISCONN]		when trying to establish a connection on a socket which already has one, or when trying to send a datagram with the desti-
			nation address specified and the socket is already connected;

     [ENOTCONN] 	when trying to send a datagram, but no destination address is specified, and the socket has not been connected;

     [ENOBUFS]		when the system runs out of memory for an internal data structure;

     [EADDRINUSE]	when an attempt is made to create a socket with a port which has already been allocated;

     [EADDRNOTAVAIL]	when an attempt is made to create a socket with a network address for which no network interface exists.

MIB VARIABLES

     The udp protocol implements a number of variables in the net.inet branch of the sysctl(3) MIB.

     UDPCTL_CHECKSUM	(udp.checksum) Enable udp checksums (enabled by default).

     UDPCTL_MAXDGRAM	(udp.maxdgram) Maximum outgoing UDP datagram size

     UDPCTL_RECVSPACE	(udp.recvspace) Maximum space for incoming UDP datagrams

     udp.log_in_vain	For all udp datagrams, to ports on which there is no socket listening, log the connection attempt (disabled by default).

     udp.blackhole	When a datagram is received on a port where there is no socket listening, do not return an ICMP port unreachable message.
			(Disabled by default.  See blackhole(4).)

SEE ALSO

     getsockopt(2), recv(2), send(2), socket(2), blackhole(4), inet(4), intro(4), ip(4)

HISTORY

     The udp protocol appeared in 4.2BSD.

BSD
								   June 5, 1993 							       BSD
Man Page