[Dshield] testing a firewall

mark rowlands mark.rowlands at mypost.se
Tue Dec 23 15:26:56 GMT 2003

A colleague of mine came up with this idea.....

requires a pair of linux boxes / iptables and netcat and nmap

Behind the firewall

contents of file test.nc: 

echo oink 
nc -l -p 2354 -e ~/test.nc 

then on run : 

  # nc -l -p 2354 -e ~/test.nc 

then : 

  # for i in `seq 1 65000`;do 
  >  iptables -t nat -A PREROUTING -p tcp --dport $i -j DNAT --to 
  > done 

iptables forwards all ports between  1 och 65000 to netcat listening on

then, from outside the firewall, run an nmap scan :- the results as
for example show what is actually getting through. 

  # nmap -p 2000-2003 the box

  Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) 
  Warning:  You are not root -- using TCP pingscan rather than ICMP 
  Interesting ports on ooch.ouch.ohyeah.se ( 
  Port       State       Service 
  2000/tcp   open        callbook 
  2001/tcp   open        dc 
  2002/tcp   open        globe 
  2003/tcp   open        cfingerd 

> -----Original Message-----
> From: list-bounces at dshield.org 
> [mailto:list-bounces at dshield.org] On Behalf Of Erwin Fritz
> Sent: Monday, December 22, 2003 10:30 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] testing a firewall
> There's a few of these tools around. The one I like is nmap. 
> It's at www.insecure.org.
> michael nancarrow wrote:
> > Hi,
> > 	I have recently deployed a new firewall system and spent
> > 	a lot of time testing the new rules. The one problem I found 
> > 	was that whilst I could test for known rules it was hard to test
> > 	for unknown rules or unexpected results. Since we were 
> not familiar
> > 	with the new firewall we got some nasty surprises. What 
> I was missing
> > 	amongst the tool set was a means of getting every port 
> from every
> > 	ip address on the Internal network to respond. The idea 
> being that
> > 	I could do a complete port scan and guarantee a device 
> behind the 
> > 	firewall would respond if it got through. Does anybody 
> no if such
> > 	a tool exists ? everybody has been working hard to stop 
> this type
> > 	of response occurring on b/cast addresses but it can be 
> handy at times.
> > 	Particularly if you don't want to do the testing in-situ.
> > thanks
> > Mike
> > 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list