linux poison RSS
linux poison Email

Testing firewall rules

Sometimes it is handy to check firewall rules without coordinating a test with the end user. For these tests, use the hping2 utility to "spoof" traffic coming from the source IP address(es) used in the firewall rules.

At the same time, monitor the internal and external network interfaces on the firewall to make sure traffic is reaching the firewall and allowed through the firewall. In order to do this, you must have root access on the firewall and on the machine running hping2.

Example firewall rule:
Permit source IP 192.168.1.1 to communicate with destination IP 10.0.0.1 over TCP port 1000.

To test the rule, issue the following hping2 command:
hping2 -a 192.168.1.1 10.0.0.1 -p 1000
At the same time, log into the firewall and run the following commands (example with internal network interface etho and external network interface eth1)

In window 1:
tcpdump -i eth0 host 192.168.1.1 and port 1000

In window 2:
tcpdump -i eth1 host 10.0.0.1 and port 1000

If you do not see any output in window 1, traffic is not reaching the firewall. A choke router or other packet-filtering device may not be allowing the traffic to reach the firewall.

If you see output in window 1 but not in window 2, traffic is not being allowed through the firewall. Check the firewall rulebase for any errors.




0 comments:

Post a Comment

Related Posts with Thumbnails