Dealing with portscans
Matthew Seaman
m.seaman at infracaninophile.co.uk
Tue Sep 23 05:46:55 UTC 2008
David Allen wrote:
> On 9/22/08, Matthew Seaman <m.seaman at infracaninophile.co.uk> wrote:
>> Also consider the following sysctls:
>>
>> # Blackhole packets to ports without listeners
>> net.inet.tcp.blackhole=1
>> net.inet.udp.blackhole=1
>>
>> although these will be redundant if your firewalling is effective.
>
> I wonder, though, would using a block-policy setting of return (which
> I'm currently using) render the above redundant, or would the above
> take precedence? I'll have to add that to the list of Stuff to Check.
Yes. If the firewall disposes of the packet via a block rule, then
those sysctls will not have any effect. The firewall can either drop the packet or send an ICMP port unreachable message according to how it is configured.
If the firewall passes the packet then either it is dealt with by a
program listening on the appropriate port, or the network stack itself
will generate an ICMP message (by default) or else just drop the packet
if the blackhole sysctls are enabled.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080923/4fb6e3e4/signature.pgp
More information about the freebsd-questions
mailing list