Monday, March 24, 2008

Testing firewall rules

Sometimes it is handy to check firewall rules without coordinating a test with the end user. For these tests, use the hping2 utility to "spoof" traffic coming from the source IP address(es) used in the firewall rules.

At the same time, monitor the internal and external network interfaces on the firewall to make sure traffic is reaching the firewall and allowed through the firewall. In order to do this, you must have root access on the firewall and on the machine running hping2.

Example firewall rule:
Permit source IP 192.168.1.1 to communicate with destination IP 10.0.0.1 over TCP port 1000.

To test the rule, issue the following hping2 command:
hping2 -a 192.168.1.1 10.0.0.1 -p 1000

At the same time, log into the firewall and run the following commands (example with internal network interface etho and external network interface eth1)

In window 1:
tcpdump -i eth0 host 192.168.1.1 and port 1000

In window 2:
tcpdump -i eth1 host 10.0.0.1 and port 1000

If you do not see any output in window 1, traffic is not reaching the firewall. A choke router or other packet-filtering device may not be allowing the traffic to reach the firewall.

If you see output in window 1 but not in window 2, traffic is not being allowed through the firewall. Check the firewall rulebase for any errors.

Testing firewall rulesSocialTwist Tell-a-Friend

Posted by Nikesh Jauhari at 12:11 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Linuxpoison Archive

Add to Technorati Favorites http://www.wikio.com Software Computers blogs TopOfBlogs Unix-Linux Blogs Computers (Software) - TOP.ORG Computer Software Blog Directory Computer Blogs - Blog Catalog Blog Directory Blog Flux Directory Technology Blogs - Blog Rankings

Copying and distribution of the articles is permitted in any medium as long as the author and source are quoted.
E-mail contact: njauhari@cybage.com
All trademarks are the property of their respective owners.