From: ravi pina (ravi@cow.org)
Date: Wed Sep 10 2003 - 15:17:27 EDT
On Wed, Sep 10, 2003 at 09:04:07AM -0800, Leif Sawyer said at one point in time:
> Hello,
>
> I'm looking for a way to audit my firewall ruleset, in
> a very specific manner.
>
>
> I've gotten reports of packets traversing our firewall
> that should not be allowed by any of the rules currently implemented.
unpossible! :)
> What is the easiest way to find out what rule line the supposed packet
> could be traversing, without logging on every single rule? This is
> interesting because it is a random occurance, with no way to know
> when it will happen. And I dislike the idea of full logging until
> I see the violation again -- I just don't have the diskspace, for one.
well, do you know the src address? if so, you could place
that at the bottom of your rule base with an explicit accept
and when the inspect code is built, it'll tell you where that
rule conflicts.
you could also sniff the last interface the packet traversed
and check the source. could it be getting in the network some
other way? how do you even know that this is occuring?
> Something like an external program that would allow a crafted packet
> to be 'virtually' sent through the ruleset would be perfect.
it would, wouldn't it?
> Does such a tool exist? Preferably supporting Checkpoint FW-1 NG
not that i am aware of.
-r
-- echo "send pgp key" | mail ravi@cow.org "All the world is a stage; god is filming, how are you acting?" -- Spirk --------------------------------------------------------------------------- FREE Trial! New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL and PROFESSIONAL TL software. Fast, reliable vulnerability assessment technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825 ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:39 EDT