Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Method of Testing Your firewall rulebase

To: [email protected]
Subject: [FW1] Method of Testing Your firewall rulebase
From: Lance Spitzner <[email protected]>
Date: Sat, 4 Nov 2000 10:33:10 -0600 (CST)
Sender: [email protected]

Here is another method for testing/auditing your firewall
rulebases.  I'll be adding this to my paper :)

--- Firewalk meets nmap/hping2 ---

Method:
-------
To determine which packets are not filtered by your firewall
rulebase (i.e. what packet can make it through your firewall), 
run a port scanner with the TTL set to the number of hops to
the firewall itself.  Any packet sent that receives an ICMP
error message of TTL Expired means that port is not filtered.

Reason:
-------
Many CheckPoint installations I have seen have the two following
issues.

1.  The underlying operating system sends ICMP error messages.
2.  The firewall rulebase allows the firewall to initiate any
    connections.

So, send a packet through your firewall that you know can pass
(such as a packet to port 25 on your mail server).  The firewall
should allow it to pass.  Now, set the TTL on the packet to the
same number of hops to your firewall.  When the packet hits your
firewall, the firewall will accept it, decrement the TTL to zero,
then send an ICMP error message to your system.  If the packet
is not accepted by the firewall, then no response.  So the theory
is....

   Port NOT filtered:
 - ICMP TTL Expired error message (for both UDP and TCP packets)

   Port is filtered:
 - No return packet               

This makes it much easier to determine what ports are not filtered
by your firewall rulebase, especially UDP packets.  You don't even
need a system behind the firewall to respond, because the firewall
is doing all the work for you . This testing can easily be done by 
hping2.  We'll also see if Fyodor can add this feature to nmap :)

Fix:
----
Have your firewalls drop ICMP error messages, even if they are
generated by the firewall.  There could be a network impact, so
do balance carefully :)


-- 
Lance Spitzner
http://www.enteract.com/~lspitz





================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- [no subject]
  - From: "Sergio Munoz -- Ingeniero de Sistemas (x.219)" <[email protected]>

Prev by Date: Re: [FW1] Nokia VPN210 capabilities
Next by Date: RE: [FW1] Can you run fwui without a motif license
Previous by thread: [FW1] Anybody using redundant provider-1 setup?
Next by thread: [no subject]
Index(es):
- Date
- Thread