Sometimes it is handy to check firewall rules without
coordinating a test with the end user. For these tests, use the hping2
utility to "spoof" traffic coming from the source IP address(es) used
in the firewall rules.
At the same time, monitor the internal and external network interfaces on the firewall to make sure traffic is reaching the firewall and allowed through the firewall. In order to do this, you must have root access on the firewall and on the machine running hping2.
Example firewall rule:
Permit source IP 192.168.1.1 to communicate with destination IP
10.0.0.1 over TCP port 1000.
To test the rule, issue the following hping2 command:
hping2 -a 192.168.1.1 10.0.0.1 -p 1000
At the same time, log into the firewall and run the following commands (example using a Solaris firewall with internal network interface hme0 and external network interface qfe0):
In window 1:
snoop -d hme0 host 192.168.1.1 port
1000
-- or --
tcpdump -i hme0 host 192.168.1.1 and
port 1000
In window 2:
snoop -d qfe0 host 10.0.0.1 port 1000
-- or --
tcpdump -i qfe0 host 10.0.0.1 and port
1000
If you do not see any output in window 1, traffic is
not reaching the firewall. A choke router or other packet-filtering
device may not be allowing the traffic to reach the firewall.
If you see output in window 1 but not in window 2, traffic is not being allowed through the firewall. Check the firewall rulebase for any errors.
Back to brandonhutchinson.com.