Jesper Louis Andersen wrote:

>Quoting Dmitri Nikulin (setagllib@optusnet.com.au):
>
>  
>
>>Other: in FreeBSD it's (something like) net.inet.tcp.blackhole and 
>>net.inet.udp.blackhole. These make non-listening ports NOT return 
>>ICMP/RST messages saying they're not open, instead pretending it never 
>>got a request. 
>>    
>>
>
>I got the impression that it was more to do with RST-return rate
>limiting than dropping packets. Personally, my firewalls always
>return RST for TCP-data anyway, so I do not care that much. I do not
>think that dropping the packet makes the firewall any more secure than
>not dropping it. Only thing it does is to irritate me when I have to
>do diagnostics and packets get pulled out and dropped by the firewall.
>
>
>  
>
Well, it always acted as dropping (where it would reject) for me. That's 
also what the documentation states as far as I saw. It also goes with 
'blackhole' more sensibly when applied to ports.

I didn't say anything about making it more secure, but it gives 
anonymity where ports can be open or closed, and when closed they are as 
if nonexistent. This also means that, since it doesn't ever 'reject' 
packets, a very big part of what it takes to do OS fingerprinting is 
impossible. Besides, if a service can be up or down, it will appear to 
not exist (as if there was no exception for it in the packet filter) 
when it's down. This has uses; like I said, I had it for MSN file 
transfers without losing the 'perfect stealth' effect.

A side effect is that self-tests (tcllib, for instance) that require a 
connect to fail in order to succeed (the test) take a lot longer to 
fail, since they time out instead of being immediately rejected. This is 
livable though, just remove the test part of ports/pkgsrc Makefiles, or 
sit and wait.

But yes, it can be emulated with packet filtering and without that 
side-effect.