Hello, On 01/29/2014 03:31 PM, Fabian Wenk wrote: >> net.inet.tcp.blackhole=3D1 >> >> +Limiting closed port RST response from 348 to 200 packets/sec > = > According to the blackhole(4) manpage (from a FreeBSD 9.1 system): > = > ---8<------------------------------------------------------------ > SYNOPSIS > sysctl net.inet.tcp.blackhole[=3D[0 | 1 | 2]] > sysctl net.inet.udp.blackhole[=3D[0 | 1]] > = > Part of DESCRIPTION: > system will see this as a =93Connection refused=94. By setting the TCP > blackhole MIB to a numeric value of one, the incoming SYN segment is > merely dropped, and no RST is sent, making the system appear as a > blackhole. By setting the MIB value to two, any segment arriving on > a closed port is dropped without returning a RST. This provides > some degree of protection against stealth port scans. This added to the confusion and thus made me ask. The manpage says for both values of net.inet.tcp.blackhole=3D{1,2} that no RSTs are sent out. Both seem to drop SYNs and suppress sending a RST. Reading it again, the only conclusion i could get to regarding the difference between 1 and 2 would be that for a value of 2, all other tcp packets with flags other than SYN are additionally ignored. Is this a better way to understand it ? > So it is possible, that you are hit with something else then SYN > packets and should probably set net.inet.tcp.blackhole=3D2, or even > with UDP packets, then also set net.inet.udp.blackhole=3D1. this remains as a likely explanation, ie FIN scans etc. > What output does 'sysctl -a | grep blackhole' show? it used to be net.inet.tcp.blackhole: 1 net.inet.udp.blackhole: 1 since setting the tcp value to 2 no more messages like these popped up supporting your line of thought. > bye > Fabian thank you, Tee _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"