Firewall Wizards mailing list archives
Re: Tool for testing filters?
From: Chris Brenton <cbrenton () sover net>
Date: Tue, 13 Jan 1998 16:36:41 -0500
Fernando da Silveira Montenegro wrote:
The problem is not so much knowing that the path is being blocked (a tcpdump on the incoming interface will tell you whether the packets are arriving or not), but knowing *where* it is stopping.
What about an isolated machine outside your own firewall? This would allow you to test part of the route. If you know the route in to you is clear, you could use this as middle ground to test both ends of the connection (i.e. point "A" to you and then from you to point "B") Actually, I'm surprised you are having this much trouble. My experience has been that ISP's typically leave the wire wide open (too much overhead to filter). If they are providing firewalling services, they usually want to change you for it. ;) IMO it can be argued that if they are filtering traffic, they are not providing a full Internet connection. Another option may be a packet generator. Most static filters are designed to block connection establishment (SYN=1, ACK=0). You may try sending a packet with FIN or RST set high to see if that makes it through. If this works while EST fails, you know there is filtering taking place.
I think I'll fiddle with traceroute to see what happens...
This will be tough. Traceroute sends a series of echo requests and increments the hop count by one for each set. TCP, to the best of my knowledge, will be difficult to get to respond this way because you are looking to trace a specific port, not physical routes. If a machine along the way is a proxy, you may be able to message a response. If it is a simple packet filter, there is no running process available to reply.
what do I do about non-TCP/UCP traffic (there are quite a few routers out there configured to allow only UDP/TCP/ICMP because the people configuring them never thought about other IP types.)
Some have thought about them, they just did not see a need to support them. ;) Actually, from the list of services you mentioned, TCP should be all you need. Good luck, Chris -- ************************************** cbrenton () sover net Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529 Support the anti-spam movement: http://www.cauce.org/
Current thread:
- Tool for testing filters? Fernando da Silveira Montenegro (Jan 12)
- Re: Tool for testing filters? Chris Brenton (Jan 13)
- Re: Tool for testing filters? myles (Jan 14)
- <Possible follow-ups>
- Re: Tool for testing filters? Fernando da Silveira Montenegro (Jan 13)
- Re: Tool for testing filters? Chris Brenton (Jan 13)