blackhole(4)

NAME

sysctl net.inet.tcp.blackhole[=[0 | 1 | 2]]
sysctl net.inet.udp.blackhole[=[0 | 1]]

The blackhole sysctl(8) MIB is used to control system be
haviour when connection requests are received on TCP or UDP ports where
there is no socket listening.
Normal behaviour, when a TCP SYN segment is received on a
port where there is no socket accepting connections, is for the system
to return a RST segment, and drop the connection. The connecting system
will see this as a ``Connection refused''. By setting the TCP black
hole MIB to a numeric value of one, the incoming SYN segment is merely
dropped, and no RST is sent, making the system appear as a blackhole. By
setting the MIB value to two, any segment arriving on a closed port is
dropped without returning a RST. This provides some degree of protection
against stealth port scans.
In the UDP instance, enabling blackhole behaviour turns off
the sending of an ICMP port unreachable message in response to a UDP
datagram which arrives on a port where there is no socket listening. It
must be noted that this behaviour will prevent remote systems from running traceroute(8) to a system.
The blackhole behaviour is useful to slow down anyone who is
port scanning a system, attempting to detect vulnerable services on a
system. It could potentially also slow down someone who is attempting a
denial of service attack.