On 08/19/08 13:12, Tony Nguyen wrote:
Paul Wernau wrote:
- One of the big high-level problems with IP Filter (as it is with
_all_ firewall software) is visualizing how the rules perform.
That is, being able to ask "what if?" questions concerning traffic
from other hosts. (Something like: "which rules would match if I
received a TCP SYN packet for destination address a.b.c.d and port
25 from host foo.bar.com, and what would be the resulting action
taken by the system?")
As someone who uses this stuff frequently, this is often a sore
point. It can be hard to determine whether you've gotten
everything just right unless you log into some remote system and
start attacking your original machine.
Would it be possible to have something like "tcpdmatch" for this
tool?
There is an undocumented tool that is bundled with IP Filter called
"ipftest". It is used by various test suites (both in the general open
source version and the OpenSolaris version) to do this sort of rule
logic testing. It can take various types of input, etc.
It's kind of clunky - input -> rules -> results, and used in the suites
to compare expected vs actual.
I'm not positive that this is exactly what you're asking for, but it
certainly is the underpinnings.
/usr/lib/ipf/ipftest -> isaexec'd
Thanks Paul. I'll take a look at ipftest.
If you're looking for clues on how to drive this, look in the
test gate - /ws/onnv-stc2-clone/src/suites/net/ipfilter/legacy/[1].
The directory regress is the rules tested, input the input to
test the rules with and expected is what it endevours to produce.
The only real dilemma is that stdin can't be used as the input
for both rules and "packets".
There is a collection of scripts to drive it all...
Darren
[1] if you're not on SWAN, you won't be able to see it as
not all of STC2 is on Opensolaris, but you can find the
equivalent files on sourceforge:
http://ipfilter.cvs.sourceforge.net/ipfilter/ipfilter/test/
_______________________________________________
networking-discuss mailing list
[email protected]
