From owner-freebsd-hackers@FreeBSD.ORG Sat Jun 19 16:20:56 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DAC116A4EE for ; Sat, 19 Jun 2004 16:20:56 +0000 (GMT) Received: from mail.shock.ro (mail.shock.ro [212.93.151.164]) by mx1.FreeBSD.org (Postfix) with ESMTP id D2FE543D41 for ; Sat, 19 Jun 2004 16:20:55 +0000 (GMT) (envelope-from aanton@spintech.ro) Received: from localhost (localhost.ro [127.0.0.1]) by mail.shock.ro (Postfix) with ESMTP id 421BB7A; Sat, 19 Jun 2004 19:20:12 +0300 (EEST) Received: from mail.shock.ro ([127.0.0.1]) by localhost (mail.shock.ro [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 94050-06; Sat, 19 Jun 2004 19:20:11 +0300 (EEST) Received: from [10.0.0.2] (unknown [82.77.151.42]) by mail.shock.ro (Postfix) with ESMTP id DC4677; Sat, 19 Jun 2004 19:20:11 +0300 (EEST) Message-ID: <40D467D5.5000100@spintech.ro> Date: Sat, 19 Jun 2004 19:20:37 +0300 From: Anton Alin-Adrian User-Agent: Mozilla Thunderbird 0.6 (X11/20040516) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Viktor Ivanov References: <7f4bda01040619034050be53a2@mail.gmail.com> In-Reply-To: <7f4bda01040619034050be53a2@mail.gmail.com> X-Enigmail-Version: 0.84.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at shock.ro cc: freebsd-hackers@freebsd.org Subject: Re: ipfw2 test utility X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Jun 2004 16:20:56 -0000 Viktor Ivanov wrote: > Hello -hackers. > > I'm thinking about an utility to test a simple packet against the > machine's firewall (ipfw2 to be more specific). I needed it because on > some of my routers the configuration got complicated and the rule > count is too high. And sometimes I need to see quickly what a > colleague have done to the firewall and why it's not working as > expected. > See nemesistcp from ports. > Is there an (easy) way to take the packet-matching code from the > kernel and use it to check a (manually) constructed packet on the > current ipfw2 rule set? > I doubt. Faster with logging & scripts. > I was planning on writing a simple script that reads the output of > `ipfw list' and then does some very simple checks. Mostly I need to > look what's done to packets from certain address/network coming from a > certain interface. Sometimes I need to check on tcp streams too. > > Maybe I should just write a good script to build proper rule sets and > not try to fix a problem by creating more problems :) > > Any comments are welcome > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > > -- Alin-Adrian Anton Spintech Systems GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E) gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E