David Allen wrote:
On 9/22/08, Matthew Seaman <[EMAIL PROTECTED]> wrote:
Also consider the following sysctls: # Blackhole packets to ports without listeners net.inet.tcp.blackhole=1 net.inet.udp.blackhole=1 although these will be redundant if your firewalling is effective.I wonder, though, would using a block-policy setting of return (which I'm currently using) render the above redundant, or would the above take precedence? I'll have to add that to the list of Stuff to Check.
Yes. If the firewall disposes of the packet via a block rule, then
those sysctls will not have any effect. The firewall can either drop the
packet or send an ICMP port unreachable message according to how it is
configured.
If the firewall passes the packet then either it is dealt with by a
program listening on the appropriate port, or the network stack itself
will generate an ICMP message (by default) or else just drop the packet
if the blackhole sysctls are enabled.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
