[Dshield] testing a firewall

Roman Fomichev from at e-solutions.lv
Tue Dec 23 16:10:51 GMT 2003


this can be done only if firewall is simple stateless packet filter.
but i firewall use stareful inspection or proxies, than this method 
woudn't work



On Tue, 23 Dec 2003 16:26:56 +0100, mark rowlands 
<mark.rowlands at mypost.se> wrote:

> A colleague of mine came up with this idea.....
>
> requires a pair of linux boxes / iptables and netcat and nmap
>
> Behind the firewall
>
> contents of file test.nc:
>
> #!/bin/bash
> echo oink
> nc -l -p 2354 -e ~/test.nc
>
>
>
> then on run :
>
>   # nc -l -p 2354 -e ~/test.nc
>
> then :
>
>   # for i in `seq 1 65000`;do
>   >  iptables -t nat -A PREROUTING -p tcp --dport $i -j DNAT --to
> 192.168.100.14:2354
>   > done
>
> iptables forwards all ports between  1 och 65000 to netcat listening on
> 2354.
>
> then, from outside the firewall, run an nmap scan :- the results as
> below
> for example show what is actually getting through.
>
>   # nmap -p 2000-2003 the box 192.168.100.14
>
>   Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
>   Warning:  You are not root -- using TCP pingscan rather than ICMP
>   Interesting ports on ooch.ouch.ohyeah.se (192.168.100.14):
>   Port       State       Service
>   2000/tcp   open        callbook
>   2001/tcp   open        dc
>   2002/tcp   open        globe
>   2003/tcp   open        cfingerd
>
>
>> -----Original Message-----
>> From: list-bounces at dshield.org
>> [mailto:list-bounces at dshield.org] On Behalf Of Erwin Fritz
>> Sent: Monday, December 22, 2003 10:30 PM
>> To: General DShield Discussion List
>> Subject: Re: [Dshield] testing a firewall
>>
>> There's a few of these tools around. The one I like is nmap.
>> It's at www.insecure.org.
>>
>> michael nancarrow wrote:
>>
>> > Hi,
>> > 	I have recently deployed a new firewall system and spent
>> > 	a lot of time testing the new rules. The one problem I found
>> > 	was that whilst I could test for known rules it was hard to test
>> > 	for unknown rules or unexpected results. Since we were
>> not familiar
>> > 	with the new firewall we got some nasty surprises. What
>> I was missing
>> > 	amongst the tool set was a means of getting every port
>> from every
>> > 	ip address on the Internal network to respond. The idea
>> being that
>> > 	I could do a complete port scan and guarantee a device
>> behind the
>> > 	firewall would respond if it got through. Does anybody
>> no if such
>> > 	a tool exists ? everybody has been working hard to stop
>> this type
>> > 	of response occurring on b/cast addresses but it can be
>> handy at times.
>> > 	Particularly if you don't want to do the testing in-situ.
>> > thanks
>> > Mike
>> >
>>
>> _______________________________________________
>> list mailing list
>> list at dshield.org
>> To change your subscription options (or unsubscribe), see:
>> http://www.dshield.org/mailman/listinfo/list
>>
>>
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
>



-- 
Roman Fomichev

--------------------------------------------------
If you don't keep up with security fixes, your network won't be yours for 
long.




More information about the list mailing list