Date: 23 Sep 2001 21:46:30 -0000 From: Peter Avalos <pavalos@theshell.com> To: FreeBSD-gnats-submit@freebsd.org Subject: docs/30772: blackhole(4) manpage updates Message-ID: <20010923214630.21280.qmail@theshell.com>
next in thread | raw e-mail | index | archive | help
>Number: 30772 >Category: docs >Synopsis: blackhole(4) manpage updates >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Sun Sep 23 14:50:02 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Peter Avalos >Release: FreeBSD 4.4-STABLE i386 >Organization: none >Environment: System: FreeBSD arsenic.theshell.com 4.4-STABLE FreeBSD 4.4-STABLE #0: Tue Sep 18 17:29:35 PDT 2001 support@arsenic.theshell.com:/usr/obj/usr/src/sys/ARSENIC i386 >Description: The blackhole(4) manpage uses the deprecated sysctl -w as an example and it is a bit wordy. >How-To-Repeat: >Fix: behaviour -> behavior sysctl -w -> sysctl black hole -> blackhole remove second-person pronouns (your) Fix some wordiness. --- blackhole.4 Tue Aug 14 04:58:07 2001 +++ blackhole.4.new Sun Sep 23 14:37:51 2001 @@ -19,53 +19,50 @@ .Nm blackhole .Nd a .Xr sysctl 8 -MIB for manipulating behaviour in respect of refused TCP or UDP connection +MIB for manipulating behavior in respect of refused TCP or UDP connection attempts .Sh SYNOPSIS -.Cd sysctl net.inet.tcp.blackhole -.Cd sysctl net.inet.udp.blackhole -.Pp -.Cd sysctl -w net.inet.tcp.blackhole=[0 | 1 | 2] -.Cd sysctl -w net.inet.udp.blackhole=[0 | 1] +.Cd sysctl net.inet.tcp.blackhole=[0 | 1 | 2] +.Cd sysctl net.inet.udp.blackhole=[0 | 1] .Sh DESCRIPTION The .Nm .Xr sysctl 8 -MIB is used to control system behaviour when connection requests +MIB is used to control system behavior when connection requests are received on TCP or UDP ports where there is no socket listening. .Pp -Normal behaviour, when a TCP SYN segment is received on a port where +Normal behavior, when a TCP SYN segment is received on a port where there is no socket accepting connections, is for the system to return a RST segment, and drop the connection. The connecting system will -see this as a "Connection reset by peer". By turning the TCP black -hole MIB on to a numeric value of one, the incoming SYN segment +see this as a "Connection reset by peer". By setting the TCP blackhole +MIB to a numeric value of one, the incoming SYN segment is merely dropped, and no RST is sent, making the system appear as a blackhole. By setting the MIB value to two, any segment arriving on a closed port is dropped without returning a RST. This provides some degree of protection against stealth port scans. .Pp -In the UDP instance, enabling blackhole behaviour turns off the sending +In the UDP instance, enabling blackhole behavior turns off the sending of an ICMP port unreachable message in response to a UDP datagram which arrives on a port where there is no socket listening. It must be noted -that this behaviour will prevent remote systems from running +that this behavior will prevent remote systems from running .Xr traceroute 8 -to your system. +to a system. .Pp -The blackhole behaviour is useful to slow down anyone who is port scanning -your system, in order to try and detect vulnerable services on your system. +The blackhole behavior is useful to slow down anyone who is port scanning +a system, attempting to detect vulnerable services on a system. It could potentially also slow down someone who is attempting a denial -of service against your system. +of service attack. .Sh WARNING The TCP and UDP blackhole features should not be regarded as a replacement for .Xr ipfw 8 -as a tool for firewalling your system. In order to create a highly -secure system, you should use +as a tool for firewalling a system. In order to create a highly +secure system, .Xr ipfw 8 -to protect your system, and not the blackhole feature. +should be used for protection, not the blackhole feature. .Pp -This mechanism is not a substitute for securing your system, -but should be used together with other security mechanisms. +This mechanism is not a substitute for securing a system. +It should be used together with other security mechanisms. .Sh SEE ALSO .Xr ip 4 , .Xr tcp 4 , >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010923214630.21280.qmail>