On Mon, 1 Jul 2013, Joseph Kern wrote:
You could always build a state machine as complex as iptables ... :-p
This sort of thing could work for simple rulesets, but for the complex rulesets
(NAT, redirect, thresholds, string matches, external scripts, etc) it's not
going to be reasonable to try and duplicate the functionality.
You really do need a way to genrate an arbitrary packet (not to mention state)
and just ask iptables what happens to the packet.
Now, if you are willing to do this in a VM, it should be pretty simple to
automatically replace the ACCEPT/REJECT calls with calls that output useful
information.
If you can then use some hacking tool to generate your arbitrary packet, you
should be able to see where it comes out.
David Lang
Wait ...that joke has merit ... has anyone looked on CPAN? ... bingoIPTables
::Parse[1] look at the
`chain_rules` function.
How did any of you old unix ranch-hands get anything done using perl?
Inscrutable.
python-iptables as well looks like a good fit[2] as well, at least looking
at the examples .. past my bed time here, really didn't test anything.
[1]: http://search.cpan.org/~mrash/IPTables-Parse-1.1/lib/IPTables/Parse.pm
[2]: http://nilvec.com/python-iptables.html
On Mon, Jul 1, 2013 at 5:32 PM, Craig Constantine <[email protected]>wrote:
...woops sorry, I misinterpretted what you were asking.
(and thanks for taking the time to expand your Q!)
--Craig Constantine, http://constantine.name
On Jul 1, 2013, at 12:41 PM, Alan Robertson <[email protected]> wrote:
Maybe I didn't make myself clear.
I mean will packets bound to that port reach my application? That is,
will the firewall rules permit them to be received, and conversely if it
will permit them to be sent?
I'm pretty sure your suggestion will only let me know if someone is
using that port, which is a much simpler problem (and not much of a
problem to me).
On 07/01/2013 08:54 AM, Craig Constantine wrote:
Well, if you want to just verify the port is open, why not netstat with
(n)umeric, (l)istener and (u)dp flags?
eg, from a system with BIND on UDP/53 ...
# netstat -nlu | grep -q :53
# echo $?
0
# netstat -nlu | grep -q :54
# echo $?
1
--Craig Constantine, http://constantine.name
On Jul 1, 2013, at 10:48 AM, Alan Robertson <[email protected]> wrote:
On 07/01/2013 07:53 AM, Tom Limoncelli wrote:
Hi Rusty,
That sounds great. Actually I'm looking for less user interface. I
want to be able to call it from a Makefile to run unittests against a
rule set before it goes into production.
My need is similar - I want to have an application that can complain if
my UDP port isn't open. Again, an exit code and maybe a message is just
fine for me.
--
Alan Robertson <[email protected]> - @OSSAlanR
"Openness is the foundation and preservative of friendship... Let me
claim from you at all times your undisguised opinions." - William
Wilberforce
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
