[Dshield] testing a firewall
michael.nancarrow at ac3.com.au
Tue Dec 23 23:26:42 GMT 2003
I'm afraid I wasn't clear. I am using nmap and superscan to
test the firewall, problem is that without something on the other side
of the firewall guaranteed to respond to everything how can you be sure
the firewall is working correctly.
nmap scanner ----> f/w -----> server 10.1.1.1 exists
server 10.1.1.2-254 (don't exist)
apart from setting up multiple addresses how can you confirm the explicit
ip address rule is working correctly.
nmap scanner ------> f/w ------> http allowed
services 81 to 1024 not allowed
if the firewall is responding with a reset ack no problem but nmap comes
with a port closed. Which is not definitive.
Also suppose you want to map all the rules on the firewall and compare
to the rule set in a simulated environment, what we wanted to do. When you
are talking about 200 odd addresses and 10 different services on each
system it becomes a real nuisance.
Reason Iam chasing this is that we used the "recommended" method for
of the firewall service for IPSEC from the vendor, problem was it opened
up all services for that system, the only reason I found it was that I used
ethereal with nmap and noticed the reset, acks were coming from the server
and not the firewall.
Date: Mon, 22 Dec 2003 14:30:23 -0700
From: Erwin Fritz <efritz at glja.com>
Subject: Re: [Dshield] testing a firewall
To: General DShield Discussion List <list at dshield.org>
Message-ID: <3FE7626F.8050607 at glja.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
There's a few of these tools around. The one I like is nmap. It's at
michael nancarrow wrote:
> I have recently deployed a new firewall system and spent
> a lot of time testing the new rules. The one problem I found
> was that whilst I could test for known rules it was hard to test
> for unknown rules or unexpected results. Since we were not familiar
> with the new firewall we got some nasty surprises. What I was missing
> amongst the tool set was a means of getting every port from every
> ip address on the Internal network to respond. The idea being that
> I could do a complete port scan and guarantee a device behind the
> firewall would respond if it got through. Does anybody no if such
> a tool exists ? everybody has been working hard to stop this type
> of response occurring on b/cast addresses but it can be handy at times.
> Particularly if you don't want to do the testing in-situ.
More information about the list