How to verify firewall ACLs and router rule sets using Linux

Core routers and firewall gateways are usually comprised of basic and extended access control lists including rule sets that define local network security level and control access. They are commonly implemented on gateway routers restricting hosts, protocols and port access to other host or networks located after their default gateways. Basically, routers and default gateways serve as a line of defense to security intrusions and network attacks.

The very basic approach to test a firewall access list (ACLs) is to telnet from a computer host going to destination host and port located externally from connecting host. A basic representation of the scenario would be

local computer host ----> default router -----> destination host

A commonly trade off thing for this telnet test is giving you test results by not actually showing you what is occurring from the time the test start, hops through the router, and arrives to the destination host and port.

Introducing Firewalk

Firewalk is an open source tool that will help you analyze IP packet responses on every packet hop to determine your router ACLs rule sets and network maps. This firewalking helps you figure out if your router's ACLs are actually doing what you instructed them to do.  Firewalk can be considered as a security tool for network penetration testing specially for gateway router ACLs and rule sets verification. The method is called firewalking.

Firewalk Installation on Fedora 9

Fedora 9 repo supports Firewalk and  Simply issue yum to install firewalk

# yum -y install firewalk

Firewalk Usage

Now since firewalk has been installed successfully,  let us uncover how we can make use this firewalking penetration testing. Assuming you have segmented network making use of segmented VLAN switches and router

computer host---> vlan switch ---> vlan router1 ----> vlan router2 ---> destination host

Legend:

computer host (source host): 192.168.60.254
vlan switch: 10.0.100.1
vlan router1: 192.168.60.1 F0 , 192.168.60.1 F1
vlan router2 (target host): 192.168.200.1 F0, 192.168.200.2 F1
destination host (metric host): 83.83.83.83

computer host port: 25
destination host port: 25

F0 - internal router interface (fast ethernet interface)
F1 - internal router interface (fast ethernet interface)

Considering that we have already implemented ACLs from the both interfaces of two VLAN routers to allow safe passage of TCP packets coming from local computer host carrying destination port 25 passing thru VLAN router 2 going to metric host IP address with destination port 25.

Here is how we would be able to do that using firewalk

# firewalk-s25 -d25 -pTCP 192.168.200.1 83.83.83.83

By using firewalk, we would be able to determine and verify the following issues

a. Presence and correctness of ACLs from VLAN router 2 allowing port 25 to pass thru coming from local computer host going to destination hostport 25 carried from TCP packet

b. Correctness of VLAN router 1 ACLs allowing the same ACL rule as shown above

c. Successful port connection of computer host to destination host port 25

d. Successful port connection of target host to destination host (metric host)

e. Network map location of target host to metric host

f. Network map location of source computer host to destination host

Another use of firewalk is to do network penetration testing. Let us do a simple penetration testing using firewalk

# firewalk -pTCP 192.168.60.2 83.83.83.83

which would probably give you opened/closed ports, unreachable/idle/listening ports, hop counts and hop Ip address and more.

Auditing your network map and router ACL rule set is a good network and security practice. Firewalk is fun to play with as far as network scanning of router ACLs and penetration security testing and verification is concerned. Simply make sure you are proper authorization and function to do network scanning and penetration testing from your local networks.

All is done. Have fun.