From owner-freebsd-questions@FreeBSD.ORG Wed Apr 9 05:32:34 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 056E737B404 for ; Wed, 9 Apr 2003 05:32:34 -0700 (PDT) Received: from pa-plum1b-166.pit.adelphia.net (pa-plum1b-122.pit.adelphia.net [24.53.161.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id D5F8743FBD for ; Wed, 9 Apr 2003 05:32:32 -0700 (PDT) (envelope-from wmoran@potentialtech.com) Received: from potentialtech.com (working [172.16.0.95]) h39CWTJP013676; Wed, 9 Apr 2003 08:32:29 -0400 (EDT) (envelope-from wmoran@potentialtech.com) Message-ID: <3E9417E5.3000900@potentialtech.com> Date: Wed, 09 Apr 2003 08:53:57 -0400 From: Bill Moran User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.2.1) Gecko/20030301 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mark Gladman References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: Firewall testing issues. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2003 12:32:34 -0000 Mark Gladman wrote: > Hi there, > > I pointed this question at the freebsd-newbies list previously, and only > afterwards realised that it's probably more technical than should be > posted to that list.. oops.. > > Anyway, I've got an external ADSL router which uses a static route to > forward packets(?) to a FreeBSD box using ipfw. I've configured ipfw to > some extent (still some stuff not working..), but I'm currently tweaking > the config for it. Now, what happens when I try and get someone to > portscan it from the outside world (using nmap), instead of it > portscanning the FreeBSD box, it scans the ADSL router, even though I > thought that the static route just handed all incoming packets to the > FreeBSD box? > > The ADSL router has NAT'ing enabled on it, as opposed to the FreeBSD > machine doing the NAT'ing. (This was the way that was recommended to me, > and seems to work). > > So I'm just wondering.. how can I tell if the firewall is actually > working or not? because portscanning it internally won't be a problem > since all the internal computers have the ability to do pretty much > whatever they want, and doing it externally just hits the ADSL router. First off ... your router is part of your security system, so you need to take it's behaviour into consideration. Especially if you're giving the local network unrestricted access to the machine ... it makes the routers capibilities VERY important. If you still want to test the firewall ... the first thougth that comes to mind is to temporarily rearrange your network without the router, and create a local machine that pretents to be on the external network and test it from there. -- Bill Moran Potential Technologies http://www.potentialtech.com