[Dshield] testing a firewall

Rick Klinge rick at jaray.net
Tue Dec 23 15:54:13 GMT 2003


You could always use the ShiledsUP! At http://www.grc.com to test your
ports...

~Rick

> 
> A colleague of mine came up with this idea.....
> 
> requires a pair of linux boxes / iptables and netcat and nmap
> 
> Behind the firewall
> 
> contents of file test.nc: 
> 
> #!/bin/bash 
> echo oink 
> nc -l -p 2354 -e ~/test.nc 
> 
> 
> 
> then on run : 
> 
>   # nc -l -p 2354 -e ~/test.nc 
> 
> then : 
> 
>   # for i in `seq 1 65000`;do 
>   >  iptables -t nat -A PREROUTING -p tcp --dport $i -j DNAT 
> --to 192.168.100.14:2354 
>   > done 
> 
> iptables forwards all ports between  1 och 65000 to netcat 
> listening on 2354.
> 
> then, from outside the firewall, run an nmap scan :- the 
> results as below for example show what is actually getting through. 
> 
>   # nmap -p 2000-2003 the box 192.168.100.14
> 
>   Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) 
>   Warning:  You are not root -- using TCP pingscan rather than ICMP 
>   Interesting ports on ooch.ouch.ohyeah.se (192.168.100.14): 
>   Port       State       Service 
>   2000/tcp   open        callbook 
>   2001/tcp   open        dc 
>   2002/tcp   open        globe 
>   2003/tcp   open        cfingerd 
>   
> 
> > 
> > There's a few of these tools around. The one I like is nmap.
> > It's at www.insecure.org.
> > 
> > michael nancarrow wrote:
> > 
> > > Hi,
> > > 	I have recently deployed a new firewall system and spent
> > > 	a lot of time testing the new rules. The one problem I found 
> > > 	was that whilst I could test for known rules it was hard to test
> > > 	for unknown rules or unexpected results. Since we were
> > not familiar
> > > 	with the new firewall we got some nasty surprises. What
> > I was missing
> > > 	amongst the tool set was a means of getting every port
> > from every
> > > 	ip address on the Internal network to respond. The idea
> > being that
> > > 	I could do a complete port scan and guarantee a device
> > behind the
> > > 	firewall would respond if it got through. Does anybody
> > no if such
> > > 	a tool exists ? everybody has been working hard to stop
> > this type
> > > 	of response occurring on b/cast addresses but it can be
> > handy at times.
> > > 	Particularly if you don't want to do the testing in-situ. thanks
> > > Mike
> > > 
> > 

___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.




More information about the list mailing list