Testing firewall rules

Sometimes it is handy to check firewall rules without coordinating a test with the end user. For these tests, use the hping2 utility to “spoof” traffic coming from the source IP address(es) used in the firewall rules.

At the same time, monitor the internal and external network interfaces on the firewall to make sure traffic is reaching the firewall and allowed through the firewall. In order to do this, you must have root access on the firewall and on the machine running hping2.

Example firewall rule:
Permit source IP 192.168.1.1 to communicate with destination IP 10.0.0.1 over TCP port 1000.

To test the rule, issue the following hping2 command:

hping2 -a 192.168.1.1 10.0.0.1 -p 1000

At the same time, log into the firewall and run the following commands (example with internal network interface etho and external network interface eth1)

In window 1:
tcpdumpi eth0 host 192.168.1.1 and port 1000

In window 2:
tcpdumpi eth1 host 10.0.0.1 and port 1000

If you do not see any output in window 1, traffic is not reaching the firewall. A choke router or other packet-filtering device may not be allowing the traffic to reach the firewall.

If you see output in window 1 but not in window 2, traffic is not being allowed through the firewall. Check the firewall rulebase for any errors.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s