[Fwbuilder-discussion] How to test a Firewall
Jesse Gordon
jesseg at nikola.com
Wed Feb 20 20:35:03 UTC 2008
Hi Mario,
This doesn't answer your question exactly, but here's how I test firewalls:
First run tcpdump or ethereal to capture all packets, on the inside of
the firewall.
Then, from the outside side of the firewall, do all your port scanning
and stuff. If a single packet makes it through, it will show up in
tcpdump or ethereal.
nmap is a good scanner as it will allow you to scan complete port ranges
and probably on a range of IPs as well.
Netcat (the command nc) is also good -- it is like telnet, but it can
establish connections either as a client or server, and it can also work
in UDP mode like a UDP telnet client and server. It can also port scan,
I believe.
There's another graphical tool called packETH who's webpage is down at
the moment, but which is a rather nice arbitrary packet generator
which allows you to construct any sort of packet you want, and send any
number of them you want.
One thing to watch out for with fwbuilder based firewalls is that with
some styles of rules, the rules may be bypassed if a packet from outside
arrives on the 'outside' interface with a destination mac of the outside
interface, but a destination IP of any internal IP -- like 192.168.0.4.
(This scenereo would a likely thing to happen where somebody on your
"public" network set their computer's default gateway to your public IP,
for example.)
Hope this helps,
-Jesse
ml at bortal.de wrote:
> Hello List,
>
> we have set up a firewall and would like to test the setup.
> Its not as simple as nust running a portscanner against it because you
> need to have services listen behind the required services.
>
> I am looking for some server-client tool where i can set up a config to
> open up tcp and udp services on multiple port and port ranges.
>
> Can someone recommend such a tool?
>
> Thanks, Mario
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Fwbuilder-discussion mailing list
> Fwbuilder-discussion at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion
>
>
>
--
Nikola Engineering Inc.
224 W. Washington St.
Suite 104
Sequim, WA 98382-3371
Tel (360)582-1051
Fax (360)582-1104
More information about the ubuntu-server
mailing list