[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Method of Testing Your firewall rulebase
Here is another method for testing/auditing your firewall rulebases. I'll be adding this to my paper :) --- Firewalk meets nmap/hping2 --- Method: ------- To determine which packets are not filtered by your firewall rulebase (i.e. what packet can make it through your firewall), run a port scanner with the TTL set to the number of hops to the firewall itself. Any packet sent that receives an ICMP error message of TTL Expired means that port is not filtered. Reason: ------- Many CheckPoint installations I have seen have the two following issues. 1. The underlying operating system sends ICMP error messages. 2. The firewall rulebase allows the firewall to initiate any connections. So, send a packet through your firewall that you know can pass (such as a packet to port 25 on your mail server). The firewall should allow it to pass. Now, set the TTL on the packet to the same number of hops to your firewall. When the packet hits your firewall, the firewall will accept it, decrement the TTL to zero, then send an ICMP error message to your system. If the packet is not accepted by the firewall, then no response. So the theory is.... Port NOT filtered: - ICMP TTL Expired error message (for both UDP and TCP packets) Port is filtered: - No return packet This makes it much easier to determine what ports are not filtered by your firewall rulebase, especially UDP packets. You don't even need a system behind the firewall to respond, because the firewall is doing all the work for you . This testing can easily be done by hping2. We'll also see if Fyodor can add this feature to nmap :) Fix: ---- Have your firewalls drop ICMP error messages, even if they are generated by the firewall. There could be a network impact, so do balance carefully :) -- Lance Spitzner http://www.enteract.com/~lspitz ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|