How to test my Firewall

Recently I opened a thread that, somehow, raged some people . My apologies for that if it seemed that this is a "Hacker forum" for me. It isn't.
In the words of LowWaterMark: Perhaps a better topic would be asking people if they know of automated testing sites I could use. Or maybe about specific tools or training materials you could get to help me advance my own skill level.

What I need is to test my Firewall, but I don't know how and I currently don't have the time to learn how. Any documentation is welcome.

Regards.

 

Test Your Firewall.

The benefit of the above tests is that they are coming from an external IP address and thus do not give anomalous results as compared to running similar tests from your computer inside your firewall. There are also ports scans from Shields Up! link at grc.com.

-- Tom

 

and from inside you can check what apps are running and port open from inside out with help of zenmap (nmap-gui)

 

I tested that and many others, my ports are closed. But even Windows, with no Firewall and it's own being disabled, gives that output. So these "testers" are worth nothing but to see if you have any open ports.

The best way is with someone experienced into searching for vulnerabilities (aside from open ports), which these sites don't do. I couldn't find any good site that looks for vulnerabilities.

I'll look for documentation in this subject.

 

If the tests you tried show no open ports, then from this perspective, there are no vulnerabilities, so there is no need to search further.

 

grc.com

 

The testing of a firewall should always be done from an external website. The main reason is that when you use a tool like nmap from inside your firewall - you will get false positives and begin to conclude that your ports are open rather than stealthed! You might ask, how do I know this. It was the only logical conclusion remaining when I initially setup my FiOS router and initially tested with nmap from my computer inside the router firewall rather than from an external website - i.e. when tested from an external website, my ports were indeed stealthed which is not the result you get from testing from your computer with nmap from inside the firewall.

If you have a hardware router with a firewall, that is the firewall being tested from the external website which is the most important firewall to protect you from external attacks and vulnerabilities in your hardware firewall setup.

If your internal local network has several computers each with an internal software firewall, that would be when you should test with nmap from one computer to the others (assuming only one router firewall protecting the entire internal local network from external incursion).

Looking through my notes, I used the website, http://nmap-online.com which now redirects to http://nmap.online-domain-tools.com/ which is what I recommend you should use to test your router firewall.

-- Tom

 

for those behind a hardware firewall/router/adsl modem, the external tests from sites such as GRC will test the hardware firewall, not any software firewall on your PC. to test it, you must place your PC's internal IP address into a 'DMZ' that bypasses the hardware firewall and routes all the traffic directly to your pc, and the method is slightly different for each h/w vendor.

p.s. - DMZ| is really an acronym for 'DeMilitarized Zone', which has been adopted by us geeks for this exposed and undefended area, which effectively puts your pc's IP outside the protected (militarised?) zone behind the 'wall', leaving it's defence to you, and your software firewall.

 

No open ports is the same state right after installing any Linux distro, most set their ports to close. As I said, even Windows, with no antivirus and with it's Firewall disabled, showed all ports closed. How's that safe? It's not
A penetration test is far from being "you're port are all closed".

Already did.

Actually, when I tested with nmap it said all my ports were filtered. No difference from the Windows I tested with no protection at all.

What's the Terminal output from nmap when the ports are stealthed? What's the command to check it?

I'm very tempted to buy a firewall. Any suggestions on a good one?

Thanks. I'll check it.

 

Maybe you should get an idea first about what level of security you want to achieve, because firewall testing and penetration testing are pretty different things.

 

A penetration testing will never succeed when a good firewall is set correctly.

 

In this case, it won't succeed even if you don't have a firewall, but your ports are all closed... What else are you trying to achieve with a firewall, that can't be solved by closing all ports?

 

Not necessarily. A firewall is just one tool, they are not a panacea. The particulars vary widely on precise context and technologies being discussed; but in the typical case of a network hardware firewall appliance, they are largely only "gate-ing" mechanisms based on network protocols up through layer 4.

There are many situations that might require you to open access to a specific protocol & destination port in order to support some functionality -- perhaps you want to host a website, or perhaps you want to allow your PC to more fully participate in some game functionality requiring inbound ports, etc -- in which the firewall cannot protect you. In these situations you're ultimately at the mercy of application-layer technologies, and generally that means host-based application-layer protection mechanisms of some sort... or, most likely, simply staying current on OS & application patches.

In a home setting, most users rarely have a legitimate need for any inbound ports... however, in corporate settings, there is almost always such a need. Thus, vulnerability assessment scanning, reconnaissance scanning, and penetration testing are invaluable in corporate environments regardless of how "perfect" or "clean" you think your firewall configuration may be.

 

Because there are ways of opening closed ports, thus giving the attacker an ability of exploiting system vulnerabilities.

In my case I just want to secure my own machine
I don't have a hardware firewall (yet) and I want to see if any vulnerabilities are found.

 

Well, in the typical home setting, inbound protection is sort of a by-product of the NAT'ing functionality of your typical cable modem or DSL router. The appliance has to build a NAT table for outbound connections, and without some inbound port-mapping... the device has no way to map the shared external public IP to one of the internal IPs and so it typically drops the externally initiated traffic because it has no other way of knowing what to do with it.

 

Huh?

 

That is not true in the sense that if a determined attacker sends you a specially crafted custom packet - any "good" firewall can be penetrated.

-- Tom

 

There are any number of routers that support either DD-WRT or Tomato firmware(s).

I would search each of these websites for hardware compatible routers to purchase.

For Reference: List of wireless router firmware projects.
at Wikipedia: DD-WRT and Tomato.

The Top 6 Alternative Firmwares For Your Router.

-- Tom

 

https://wiki.archlinux.org/index.php/Port_Knocking

Is this just assumption or there have been actual cases, specially with the latest kernels?

 

This is not an assumption, but written about by security researchers whom have demonstrated it in the past, so it is well known to the security community.

Router firewalls usually have nothing to do with a computer's kernel, i.e. they have their own firmware from which they run, e.g. BusyBox, and other firmwares.

-- Tom

 

That requires you (and not an attacker) to configure your OS/firewall to do so.

 

Oh, yes. My bad.

I understand, but I'm talking about my case in particular, in which I don't have a hardware firewall. So I rely on the Linux developers to be protected.

 

You do understand, then, I presume, that the Linux firewall is not turned on by default - i.e. you have to initialize it with rules!

-- Tom

 

AFAIK it IS turned on considering it's the default Firewall in the Linux Kernel. It may not be configured by default (and that I understand), but I think it's actually on by default. I'll go look more into that.

 

No, it is not turned on by default, meaning that there are two parts of it, i.e. netfilter and iptables. What is enabled by default is certain netfilter capabilities, but, until you feed rules into and activate the the netfilter/iptables fremwork with iptables rules - everything is not as you assumed.

See; Firewalls for examples.

-- Tom