Re: failed shields up test
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Sat, 22 Dec 2007 20:52:43 -0600
On Sat, 22 Dec 2007, in the Usenet newsgroup alt.os.linux.suse, in article
<20071222141727.5553f33a@xxxxxxxxxxxxxxxxxxxxxxx>, Malcolm wrote:
You could also use an external shell account to do your testing from.
A lot depends on what you have access to. For testing a firewall, I
disconnect the network cable that leads to the world, and connect to
a laptop that is configured to mimic the upstream connection (ISP's
gateway device). This includes setting MAC address if applicable (it
is in most cases), and the IP address of that device. I then run a
probing application like nmap on this laptop, and probe my firewall.
This allows me to use ANY protocols, any ports, or IP addresses without
worrying about what the ISP may think. Thus, I can be as subtle, or as
crude as I want because the packets are remaining on my hardware.
If this is not practical for you, but you have access to another
system _on_the_Internet_ where you can install (or access) a probing
tool like nmap, you can probe from there. While this will show you
what your system looks like from the "outside", it has several
significant disadvantages. First and foremost is that you might be
making the ISPs involved VERY UNHAPPY, and there might be punitive
results (you could loose your accounts). Second, your probing may
encounter other filters - possibly run by your ISP - that may mask
what is actually happening with _your_ system. Because of these two
disadvantages, you can't be as aggressive (or crude) in your testing.
Of course, before you start abusing the network with probes like this,
you should first see what your system thinks is open. You can do this
without risk of the wrath of your ISP. All it takes is
[compton ~]$ netstat -antu
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
and we discover that the ONLY port that is open on this system is port
22/tcp (SSH). You can't tell it from here, but the service is actually
restricted to a handful of addresses (I can't see any reason to allow
connections from you or anyone else that I haven't approved in advance,
and I really don't expect authorized users to be connecting from Korea,
Kenya, Kuwait or Kazakhstan or a lot of other places either). And
unlike many probe tools (such as nmap ), this is looking at ALL TCP
and UDP ports all at once.
 Most probes default to a limited number of tested ports - if you
read the nmap man page and look at the -p option, you find that it
defaults to scanning about 1670 out of 65536 ports, or about 2,5%.
'nmap' can be very useful, but you really _do_ have to read the
instructions or you'll get a false indication. BAD security.
- Prev by Date: Re: Network not working on a new portable
- Next by Date: Re: Java 1.6 Xlib/XCB problems (openSuse 10.3)
- Previous by thread: Re: failed shields up test
- Next by thread: Re: failed shields up test