How to test my Firewall

Thanks!

 

Question: Are there ways of opening closed ports?

 

Yes. Read: HowTo: UNIX / Linux Open TCP / UDP Ports.

-- Tom

 

Oh, maybe I formulated my question wrong.

Can an external attacker open ports that are closed by a firewall?

 

This has created confusion and requires elaboration, specifically some that reflects the behavior of current configurations. It is true that various types of stacks and firewalls have been found to have vulnerabilities/backdoors via which they could be bypassed. However, I'm not aware of it being appropriate to consider all good firewalls vulnerable to bypass. Specifics please.

 

Exactly how depends on the firewall IIRC, but yeah, stateful firewalls can be bypassed under some conditions. Mainly, if you have an open port behind the firewall, it may be possible to spoof the firewall into letting through an unsolicited connection. I believe this was demonstrated at one point with iptables and port 6667 (used for IRC)... I don't think there's a whole lot one can do about this, other than keeping the kernel updated and not trusting open ports.

That said, client side attacks are vastly more common. Java attacks can and do target Linux now, and XSS attacks are platform independent.

Decent Linux distros (like Fedora, Ubuntu, OpenSUSE, Debian...)* IMO have an inherent edge on the desktop there, due to large package repositories, frequent updates, backporting of patches, etc. On the end user level, there's not much to be done for client side security. Experienced users may want to use mandatory access control (e.g. AppArmor) and/or enhanced memory protection (GrSecurty/PaX patched kernel), but these IMO do not have great benefit for most desktop users.

* Distros that I do not consider decent include Mint, PCLinuxOS, and Puppy, which all have very insecure default settings. Any distro can be configured insecurely, but shipping with such unnecessarily bad defaults is IMO inexcusable at this point.

 

See: Cyber Attacks Explained: Packet Crafting.

With regard to "all good firewalls being vulnerable to bypass" it depends on how impervious and immune to bypassing attacks the firewall has been fortified! And, that is the difference between being vulnerable and being fortified. A good firewall that has not been fortified is not immune to a determined and well-crafted custom targeted packet attack by an expert intruder being highly motivated to gain access to the treasures within the firewall.

-- Tom

 

There's nothing concrete in that article except general explanations and some Ofice 2010 art. As to bypassing a firewall, and ... what about the services that are actually supposed to be running behind it?
Mrk

 

Seems logical that "state keeping" would be a vulnerable spot. I'm not sure what should/shouldn't be considered a "bypass" though. If outbound traffic has opened a hole in an SPI firewall, we can expect that firewall to allow "matching" inbound traffic through. If an adversary is in a position to determine what is/isn't matching traffic, and generate such matching traffic, an SPI firewall will allow it to pass. We could call such a scenario a bypass, because undesired traffic made it through. However, assuming the inbound traffic really did match (say someone MITMing your connection to an HTTP server and in a position to generate precisely what is expected including TCP sequence numbers) then the SPI firewall is supposed to let it through. So I think we'd have to dig into the details... what the SPI firewall opens and in response to what, how the rules for allowing inbound traffic work, etc.

I'm not sure if this is what you are referring to, but I did find these:

http://samy.pl/natpin/
http://fds-team.de/cms/articles/201...outers-acting-as-proxy-when-sending-fake.html

Still digesting the info.

Edit: Regarding the browser...
http://www-archive.mozilla.org/projects/netlib/PortBanning.html
http://mxr.mozilla.org/mozilla-release/source/netwerk/base/src/nsIOService.cpp#63
http://src.chromium.org/viewvc/chrome/trunk/src/net/base/net_util.cc#l92