Sometimes it is handy to check firewall rules without coordinating a test with the end user. For these tests, use the hping2 utility to "spoof" traffic coming from the source IP address(es) used in the firewall rules.
At the same time, monitor the internal and external network interfaces on the firewall to make sure traffic is reaching the firewall and allowed through the firewall. In order to do this, you must have root access on the firewall and on the machine running hping2.
Example firewall rule:
Permit source IP 192.168.1.1 to communicate with destination IP 10.0.0.1 over TCP port 1000.
To test the rule, issue the following hping2 command:
hping2 -a 192.168.1.1 10.0.0.1 -p 1000
At the same time, log into the firewall and run the following commands (example using a Solaris firewall with internal network interface hme0 and external network interface qfe0):
In window 1:
snoop -d hme0 host 192.168.1.1 port 1000
-- or --
tcpdump -i hme0 host 192.168.1.1 and port 1000
In window 2:
snoop -d qfe0 host 10.0.0.1 port 1000
-- or --
tcpdump -i qfe0 host 10.0.0.1 and port 1000
If you do not see any output in window 1, traffic is not reaching the firewall. A choke router or other packet-filtering device may not be allowing the traffic to reach the firewall.
If you see output in window 1 but not in window 2, traffic is not being allowed through the firewall. Check the firewall rulebase for any errors.
1
Testing Firewall Rules
Started by
wildweaselmi
, May 20 2009 11:15 AM
7 replies to this topic
#2
rev.research
-
- Members
-
- 65 posts
Member
Posted 21 May 2009 - 06:06 AM
You can also use nmap
One of the regular tasks you'll be performing with Nmap is verifying that your firewall rules are performing as intended. To do so, run a scan to look for ports that appear open to the outside world and check whether they are filtered or not. A simple firewall audit scan would be something similar to:
nmap -v -sA -ff -r -n www.mywiseguys.net -oA firewallaudit
One of the best ways to understand how your firewall handles uninvited traffic is to verify that its filters and rules are working as you anticipated. For example, one mistake many administrators make when creating rules for allowing traffic through their firewall is to trust traffic based simply on its source port number, such as DNS replies from port 53 or FTP from port 20. To test whether your firewall allows all traffic through on a particular port you can use most of Nmap's TCP scans, including the SYN scan, with the spoof source port number option (--source-port or abbreviated just to –g). Simply provide a port number, and Nmap will send packets from that port where possible. For example, the following command will run a FIN scan using a spoofed source port number of 25 (SMTP) saving the output to file firewallreport.txt.
nmap -sF -g 25 -oN firewallreport.txt www.mywiseguys.net
When auditing your firewall, I recommend that you scan ports in numerical order (option -r) to make it easier to follow the traffic flow when analyzing the Nmap output files. However, when testing the effectiveness of firewalls and intrusion detection systems, use the default, which is a randomized port order, in addition to randomizing the order in which hosts are scanned by using the randomize-hosts option, which can be abbreviated to –rH. This, combined with slow timing options, which we will look at next week, will make any network monitoring devices you have work hard to detect the scan. An example command to test your network defences could be:
nmap -sS --scan-delay 500 -f -rH firewallreport.txt www.mywiseguys.net
One of the regular tasks you'll be performing with Nmap is verifying that your firewall rules are performing as intended. To do so, run a scan to look for ports that appear open to the outside world and check whether they are filtered or not. A simple firewall audit scan would be something similar to:
nmap -v -sA -ff -r -n www.mywiseguys.net -oA firewallaudit
One of the best ways to understand how your firewall handles uninvited traffic is to verify that its filters and rules are working as you anticipated. For example, one mistake many administrators make when creating rules for allowing traffic through their firewall is to trust traffic based simply on its source port number, such as DNS replies from port 53 or FTP from port 20. To test whether your firewall allows all traffic through on a particular port you can use most of Nmap's TCP scans, including the SYN scan, with the spoof source port number option (--source-port or abbreviated just to –g). Simply provide a port number, and Nmap will send packets from that port where possible. For example, the following command will run a FIN scan using a spoofed source port number of 25 (SMTP) saving the output to file firewallreport.txt.
nmap -sF -g 25 -oN firewallreport.txt www.mywiseguys.net
When auditing your firewall, I recommend that you scan ports in numerical order (option -r) to make it easier to follow the traffic flow when analyzing the Nmap output files. However, when testing the effectiveness of firewalls and intrusion detection systems, use the default, which is a randomized port order, in addition to randomizing the order in which hosts are scanned by using the randomize-hosts option, which can be abbreviated to –rH. This, combined with slow timing options, which we will look at next week, will make any network monitoring devices you have work hard to detect the scan. An example command to test your network defences could be:
nmap -sS --scan-delay 500 -f -rH firewallreport.txt www.mywiseguys.net
#3
wildweaselmi
-
- Administrators
-
- 1,024 posts
Administrator
Posted 21 May 2009 - 06:12 AM
Thanks,
I used nmap just for an inventory scan of what I have. Use to use GFI LANGuard, but nmap does the same thing and is free.
The following scan will produce a categorized inventory of client and server devices, as well as routers, switches and printers:
nmap -vv -sS -O -n www.mywiseguys.net/24 -oA
I used nmap just for an inventory scan of what I have. Use to use GFI LANGuard, but nmap does the same thing and is free.
The following scan will produce a categorized inventory of client and server devices, as well as routers, switches and printers:
nmap -vv -sS -O -n www.mywiseguys.net/24 -oA
#4
wildweaselmi
-
- Administrators
-
- 1,024 posts
Administrator
Posted 01 December 2009 - 10:42 AM
The following will go over how to test Firewall Rules using nmap
Type of Rule
Port(s) - Open/Allowed or Closed/Blocked
Source - Based using a source IP address
Destination - Based on destination IP address
Transport Layer - ICMP blocked/allowed
Then we will go over how to test the nmap commands using your Linksys Router's built in firewall.
We will also look into using the firewall on the Ubuntu BootCD for testing (which would require another laptop)
Type of Rule
Port(s) - Open/Allowed or Closed/Blocked
Source - Based using a source IP address
Destination - Based on destination IP address
Transport Layer - ICMP blocked/allowed
Then we will go over how to test the nmap commands using your Linksys Router's built in firewall.
We will also look into using the firewall on the Ubuntu BootCD for testing (which would require another laptop)
#5
wildweaselmi
-
- Administrators
-
- 1,024 posts
Administrator
Posted 01 December 2009 - 10:49 AM
SYN scans (-sS) are the workhorse of scanning methods. They are also called "half-open" scans because you simply send a SYN packet, look for the return SYN|ACK (open) or RST (closed) packet and then you tear down the connction before sending the ACK that would normally finish the TCP 3-way handshake. These scans don't depend on the characteristics of the target TCP stack and will work anytime a connect() scan would have worked.
They are also harder to detect -- TCP-wrappers or anything outside of the kernel shouldn't be able to pick up these scans -- packet filters like ipfwadm or a firewall can though. If a box is being filtered NMAP's SYN scan will detect this and report ports which are being filtered.
EXAMPLE:
The option -sT to nmap tells it to run a standard TCP connect scan -- basically, "what TCP services are advertised".
The following command will run a FIN scan using a spoofed source port number of 25 (SMTP) saving the output to file firewallreport.txt.
nmap -sF -g 25 -oN firewallreport.txt www.yoursite.com
The following command wil audit your firewall by randomized port order, in addition to randomizing the order in which hosts are scanned by using the randomize-hosts option, which can be abbreviated to –rH. This, combined with slow timing options, will make any network monitoring devices you have work hard to detect the scan
nmap -sS --scan-delay 500 -f -rH firewallreport.txt www.yoursite.com
They are also harder to detect -- TCP-wrappers or anything outside of the kernel shouldn't be able to pick up these scans -- packet filters like ipfwadm or a firewall can though. If a box is being filtered NMAP's SYN scan will detect this and report ports which are being filtered.
EXAMPLE:
The option -sT to nmap tells it to run a standard TCP connect scan -- basically, "what TCP services are advertised".
Quote
server# nmap -sT mwglinuxbox
Starting nmap V. 2.54BETA22 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. )
Interesting ports on mwglinuxbox (IP.of.that.box):
(The 1538 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
Starting nmap V. 2.54BETA22 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. )
Interesting ports on mwglinuxbox (IP.of.that.box):
(The 1538 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
The following command will run a FIN scan using a spoofed source port number of 25 (SMTP) saving the output to file firewallreport.txt.
nmap -sF -g 25 -oN firewallreport.txt www.yoursite.com
The following command wil audit your firewall by randomized port order, in addition to randomizing the order in which hosts are scanned by using the randomize-hosts option, which can be abbreviated to –rH. This, combined with slow timing options, will make any network monitoring devices you have work hard to detect the scan
nmap -sS --scan-delay 500 -f -rH firewallreport.txt www.yoursite.com
#6
wildweaselmi
-
- Administrators
-
- 1,024 posts
Administrator
Posted 15 July 2010 - 02:10 PM
$ sudo nmap -sS -p 80,443,1494,2598 12.15.7.44
[sudo] password:
Starting Nmap 5.00 ( http://nmap.org ) at 2010-07-15 15:01 EDT
Interesting ports on data.website.com (12.15.7.44):
PORT STATE SERVICE
80/tcp open http
443/tcp open https
1494/tcp filtered citrix-ica
2598/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 3.87 seconds
[sudo] password:
Starting Nmap 5.00 ( http://nmap.org ) at 2010-07-15 15:01 EDT
Interesting ports on data.website.com (12.15.7.44):
PORT STATE SERVICE
80/tcp open http
443/tcp open https
1494/tcp filtered citrix-ica
2598/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 3.87 seconds
#7
rev.research
-
- Members
-
- 65 posts
Member
Posted 04 January 2012 - 09:15 AM
If I want to see what ports are open on a particular device I just run
it comes back with which ports are open. very handy
nmap 10.6.56.244
it comes back with which ports are open. very handy
#8
wildweaselmi
-
- Administrators
-
- 1,024 posts
Administrator
Posted 13 May 2012 - 01:53 AM
Very helpful nmap command using a file as an input of ip addresses (hosts) to test.
vpn41results.txt is a file with the results
sudo nmap -vv -iL vpn41.txt -p 22,23 -oN vpn41results.txtvpn41.txt is a list of all the ip addresses to test
vpn41results.txt is a file with the results
Similar Topics
| Topic | Forum | Started By | Stats | Last Post Info | |
|---|---|---|---|---|---|
Testing Upgrade to vB4.0 |
vBulletin | wildweaselmi |
|
|
|
How to identify ports to open on Firewall? |
Networking | wildweaselmi |
|
|
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
