[Dshield] testing a firewall

michael nancarrow michael.nancarrow at ac3.com.au
Tue Dec 23 23:26:42 GMT 2003

	I'm afraid I wasn't clear. I am using nmap and superscan to
	test the firewall, problem is that without something on the other side
	of the firewall guaranteed to respond to everything how can you be sure
	the firewall is working correctly.

		nmap scanner ----> f/w -----> server exists
							server (don't exist)
	apart from setting up multiple addresses how can you confirm the explicit
	ip address rule is working correctly.

		nmap scanner ------> f/w ------> http allowed
							   services 81 to 1024 not allowed
	if the firewall is responding with a reset ack no problem but nmap comes
	with a port closed. Which is not definitive.

	Also suppose you want to map all the rules on the firewall and compare
	to the rule set in a simulated environment, what we wanted to do. When you
	are talking about 200 odd addresses and 10 different services on each
	system it becomes a real nuisance.

	Reason Iam chasing this is that we used the "recommended" method for
	of the firewall service for IPSEC from the vendor, problem was it opened
	up all services for that system, the only reason I found it was that I used
	ethereal with nmap and noticed the reset, acks were coming from the server
	and not the firewall.

Message: 12
Date: Mon, 22 Dec 2003 14:30:23 -0700
From: Erwin Fritz <efritz at glja.com>
Subject: Re: [Dshield] testing a firewall
To: General DShield Discussion List <list at dshield.org>
Message-ID: <3FE7626F.8050607 at glja.com>
Content-Type: text/plain; charset=us-ascii; format=flowed

There's a few of these tools around. The one I like is nmap. It's at

michael nancarrow wrote:

> Hi,
> 	I have recently deployed a new firewall system and spent
> 	a lot of time testing the new rules. The one problem I found
> 	was that whilst I could test for known rules it was hard to test
> 	for unknown rules or unexpected results. Since we were not familiar
> 	with the new firewall we got some nasty surprises. What I was missing
> 	amongst the tool set was a means of getting every port from every
> 	ip address on the Internal network to respond. The idea being that
> 	I could do a complete port scan and guarantee a device behind the
> 	firewall would respond if it got through. Does anybody no if such
> 	a tool exists ? everybody has been working hard to stop this type
> 	of response occurring on b/cast addresses but it can be handy at times.
> 	Particularly if you don't want to do the testing in-situ.
> thanks
> Mike

More information about the list mailing list