Dealing with portscans

Matthew Seaman m.seaman at
Tue Sep 23 05:46:55 UTC 2008

David Allen wrote:
> On 9/22/08, Matthew Seaman <m.seaman at> wrote:
>> Also consider the following sysctls:
>> # Blackhole packets to ports without listeners
>> net.inet.tcp.blackhole=1
>> net.inet.udp.blackhole=1
>> although these will be redundant if your firewalling is effective.
> I wonder, though, would using a block-policy setting of return (which
> I'm currently using) render the above redundant, or would the above
> take precedence?  I'll have to add that to the list of Stuff to Check.

Yes.  If the firewall disposes of the packet via a block rule, then
those sysctls will not have any effect.  The firewall can either drop the packet or send an ICMP port unreachable message according to how it is configured.

If the firewall passes the packet then either it is dealt with by a
program listening on the appropriate port, or the network stack itself
will generate an ICMP message (by default) or else just drop the packet
if the blackhole sysctls are enabled.



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-questions mailing list