Hello On 29.01.14 18:24, sa9k063 wrote: > On 01/29/2014 03:31 PM, Fabian Wenk wrote: >> system will see this as a =93Connection refused=94. By setting the TCP >> blackhole MIB to a numeric value of one, the incoming SYN segment is >> merely dropped, and no RST is sent, making the system appear as a >> blackhole. By setting the MIB value to two, any segment arriving on >> a closed port is dropped without returning a RST. This provides >> some degree of protection against stealth port scans. > > This added to the confusion and thus made me ask. The manpage says > for both values of net.inet.tcp.blackhole=3D{1,2} that no RSTs are > sent out. > Both seem to drop SYNs and suppress sending a RST. > > Reading it again, the only conclusion i could get to regarding the > difference between 1 and 2 would be that for a value of 2, all other > tcp packets with flags other than SYN are additionally ignored. Is > this a better way to understand it ? Yes. I read it this way: If set to 1, it does drop and not send RST only for SYN packets, if set to 2, it does drop and not send RST for all packets. >> So it is possible, that you are hit with something else then SYN >> packets and should probably set net.inet.tcp.blackhole=3D2, or even >> with UDP packets, then also set net.inet.udp.blackhole=3D1. > > this remains as a likely explanation, ie FIN scans etc. > >> What output does 'sysctl -a | grep blackhole' show? > > it used to be > > net.inet.tcp.blackhole: 1 > net.inet.udp.blackhole: 1 > > since setting the tcp value to 2 no more messages like these popped > up supporting your line of thought. Then the behavior does match the man page and how I did = understand it. bye Fabian _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"