How to test my Firewall

Discussion in 'all things UNIX' started by amarildojr, Jan 25, 2014.

Thread Status:
Not open for further replies.
  1. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,966
    Location:
    Brasil
    Recently I opened a thread that, somehow, raged some people :rolleyes: . My apologies for that if it seemed that this is a "Hacker forum" for me. It isn't.
    In the words of LowWaterMark: Perhaps a better topic would be asking people if they know of automated testing sites I could use. Or maybe about specific tools or training materials you could get to help me advance my own skill level.

    What I need is to test my Firewall, but I don't know how and I currently don't have the time to learn how. Any documentation is welcome.

    Regards.
     
  2. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
    Test Your Firewall.

    The benefit of the above tests is that they are coming from an external IP address and thus do not give anomalous results as compared to running similar tests from your computer inside your firewall. There are also ports scans from Shields Up! link at grc.com.

    -- Tom
     
  3. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    and from inside you can check what apps are running and port open from inside out with help of zenmap (nmap-gui)
     
  4. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,966
    Location:
    Brasil
    I tested that and many others, my ports are closed. But even Windows, with no Firewall and it's own being disabled, gives that output. So these "testers" are worth nothing but to see if you have any open ports.

    The best way is with someone experienced into searching for vulnerabilities (aside from open ports), which these sites don't do. I couldn't find any good site that looks for vulnerabilities. :doubt:

    I'll look for documentation in this subject.
     
  5. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    If the tests you tried show no open ports, then from this perspective, there are no vulnerabilities, so there is no need to search further.
     
  6. woomera

    woomera Registered Member

    Joined:
    May 21, 2004
    Posts:
    211
    grc.com
     
  7. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
    The testing of a firewall should always be done from an external website. The main reason is that when you use a tool like nmap from inside your firewall - you will get false positives and begin to conclude that your ports are open rather than stealthed! You might ask, how do I know this. It was the only logical conclusion remaining when I initially setup my FiOS router and initially tested with nmap from my computer inside the router firewall rather than from an external website - i.e. when tested from an external website, my ports were indeed stealthed which is not the result you get from testing from your computer with nmap from inside the firewall.

    If you have a hardware router with a firewall, that is the firewall being tested from the external website which is the most important firewall to protect you from external attacks and vulnerabilities in your hardware firewall setup.

    If your internal local network has several computers each with an internal software firewall, that would be when you should test with nmap from one computer to the others (assuming only one router firewall protecting the entire internal local network from external incursion).

    Looking through my notes, I used the website, http://nmap-online.com which now redirects to http://nmap.online-domain-tools.com/ which is what I recommend you should use to test your router firewall.

    -- Tom
     
    Last edited: Jan 27, 2014
  8. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    209
    Location:
    CSA Consulate, Glos., UK
    for those behind a hardware firewall/router/adsl modem, the external tests from sites such as GRC will test the hardware firewall, not any software firewall on your PC. to test it, you must place your PC's internal IP address into a 'DMZ' that bypasses the hardware firewall and routes all the traffic directly to your pc, and the method is slightly different for each h/w vendor.

    p.s. - DMZ| is really an acronym for 'DeMilitarized Zone', which has been adopted by us geeks for this exposed and undefended area, which effectively puts your pc's IP outside the protected (militarised?) zone behind the 'wall', leaving it's defence to you, and your software firewall.
     
    Last edited: Jan 27, 2014
  9. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,966
    Location:
    Brasil
    No open ports is the same state right after installing any Linux distro, most set their ports to close. As I said, even Windows, with no antivirus and with it's Firewall disabled, showed all ports closed. How's that safe? It's not ;)
    A penetration test is far from being "you're port are all closed".

    Already did.

    Actually, when I tested with nmap it said all my ports were filtered. No difference from the Windows I tested with no protection at all.

    What's the Terminal output from nmap when the ports are stealthed? What's the command to check it?

    I'm very tempted to buy a firewall. Any suggestions on a good one?


    Thanks. I'll check it.
     
  10. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Maybe you should get an idea first about what level of security you want to achieve, because firewall testing and penetration testing are pretty different things.
     
  11. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,966
    Location:
    Brasil
    A penetration testing will never succeed when a good firewall is set correctly.
     
  12. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    In this case, it won't succeed even if you don't have a firewall, but your ports are all closed... What else are you trying to achieve with a firewall, that can't be solved by closing all ports?
     
  13. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    Not necessarily. A firewall is just one tool, they are not a panacea. The particulars vary widely on precise context and technologies being discussed; but in the typical case of a network hardware firewall appliance, they are largely only "gate-ing" mechanisms based on network protocols up through layer 4.

    There are many situations that might require you to open access to a specific protocol & destination port in order to support some functionality -- perhaps you want to host a website, or perhaps you want to allow your PC to more fully participate in some game functionality requiring inbound ports, etc -- in which the firewall cannot protect you. In these situations you're ultimately at the mercy of application-layer technologies, and generally that means host-based application-layer protection mechanisms of some sort... or, most likely, simply staying current on OS & application patches.

    In a home setting, most users rarely have a legitimate need for any inbound ports... however, in corporate settings, there is almost always such a need. Thus, vulnerability assessment scanning, reconnaissance scanning, and penetration testing are invaluable in corporate environments regardless of how "perfect" or "clean" you think your firewall configuration may be.
     
  14. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,966
    Location:
    Brasil
    Because there are ways of opening closed ports, thus giving the attacker an ability of exploiting system vulnerabilities.

    In my case I just want to secure my own machine :D
    I don't have a hardware firewall (yet) and I want to see if any vulnerabilities are found.
     
  15. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    Well, in the typical home setting, inbound protection is sort of a by-product of the NAT'ing functionality of your typical cable modem or DSL router. The appliance has to build a NAT table for outbound connections, and without some inbound port-mapping... the device has no way to map the shared external public IP to one of the internal IPs and so it typically drops the externally initiated traffic because it has no other way of knowing what to do with it.
     
  16. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Huh? :blink:
     
  17. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
    That is not true in the sense that if a determined attacker sends you a specially crafted custom packet - any "good" firewall can be penetrated.

    -- Tom
     
  18. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
  19. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,966
    Location:
    Brasil
    https://wiki.archlinux.org/index.php/Port_Knocking

    Is this just assumption or there have been actual cases, specially with the latest kernels?
     
  20. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
    This is not an assumption, but written about by security researchers whom have demonstrated it in the past, so it is well known to the security community.

    Router firewalls usually have nothing to do with a computer's kernel, i.e. they have their own firmware from which they run, e.g. BusyBox, and other firmwares.

    -- Tom
     
  21. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
  22. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,966
    Location:
    Brasil
    Oh, yes. My bad.
    I understand, but I'm talking about my case in particular, in which I don't have a hardware firewall. So I rely on the Linux developers to be protected.
     
  23. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
    You do understand, then, I presume, that the Linux firewall is not turned on by default - i.e. you have to initialize it with rules!

    -- Tom
     
  24. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,966
    Location:
    Brasil
    AFAIK it IS turned on considering it's the default Firewall in the Linux Kernel. It may not be configured by default (and that I understand), but I think it's actually on by default. I'll go look more into that.
     
  25. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
    No, it is not turned on by default, meaning that there are two parts of it, i.e. netfilter and iptables. What is enabled by default is certain netfilter capabilities, but, until you feed rules into and activate the the netfilter/iptables fremwork with iptables rules - everything is not as you assumed.

    See; Firewalls for examples.

    -- Tom
     
Loading...
Thread Status:
Not open for further replies.