Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tool for testing filters?

From: Chris Brenton <cbrenton () sover net>
Date: Tue, 13 Jan 1998 16:36:41 -0500
Fernando da Silveira Montenegro wrote:


The problem is not so much knowing that the path is being blocked (a
tcpdump on the incoming interface will tell you whether the packets
are arriving or not), but knowing *where* it is stopping.


What about an isolated machine outside your own firewall? This would allow you
to test part of the route. If you know the route in to you is clear, you could
use this as middle ground to test both ends of the connection (i.e. point "A" to
you and then from you to point "B")

Actually, I'm surprised you are having this much trouble. My experience has been
that ISP's typically leave the wire wide open (too much overhead to filter). If
they are providing firewalling services, they usually want to change you for it.
;)  IMO it can be argued that if they are filtering traffic, they are not
providing a full Internet connection.

Another option may be a packet generator. Most static filters are designed to
block connection establishment (SYN=1, ACK=0). You may try sending a packet with
FIN or RST set high to see if that makes it through. If this works while EST
fails, you know there is filtering taking place.



I think I'll fiddle with traceroute to see what happens...


This will be tough. Traceroute sends a series of echo requests and increments
the hop count by one for each set. TCP, to the best of my knowledge, will be
difficult to get to respond this way because you are looking to trace a specific
port, not physical routes. If a machine along the way is a proxy, you may be
able to message a response. If it is a simple packet filter, there is no running
process available to reply.



what do I do about non-TCP/UCP traffic (there are quite a few routers
out there configured to allow only UDP/TCP/ICMP because the people
configuring them never thought about other IP types.)


Some have thought about them, they just did not see a need to support them. ;)
Actually, from the list of services you mentioned, TCP should be all you need.

Good luck,
Chris
--
**************************************
cbrenton () sover net

Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529

Support the anti-spam movement: http://www.cauce.org/
Previous By Date Next
Previous By Thread Next

Current thread: