David Allen wrote:
On 9/22/08, Matthew Seaman <[EMAIL PROTECTED]> wrote:
Also consider the following sysctls: # Blackhole packets to ports without listeners net.inet.tcp.blackhole=1 net.inet.udp.blackhole=1 although these will be redundant if your firewalling is effective.I wonder, though, would using a block-policy setting of return (which I'm currently using) render the above redundant, or would the above take precedence? I'll have to add that to the list of Stuff to Check.
Yes. If the firewall disposes of the packet via a block rule, then those sysctls will not have any effect. The firewall can either drop the packet or send an ICMP port unreachable message according to how it is configured. If the firewall passes the packet then either it is dealt with by a program listening on the appropriate port, or the network stack itself will generate an ICMP message (by default) or else just drop the packet if the blackhole sysctls are enabled. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
Description: OpenPGP digital signature