* firewall + tcpdump
@ 2004-03-30 14:17 Peggy Kam
2004-03-30 14:37 ` Antony Stone
0 siblings, 1 reply; 5+ messages in thread
From: Peggy Kam @ 2004-03-30 14:17 UTC (permalink / raw)
To: netfilter
Hi,
Does tcpdump dumps traffic on a network in front or behind a firewall?
If it dumps traffic in front of a firewall, would anyone kindly suggest
a way to test the firewall?
Thanks in advance,
Peggy
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: firewall + tcpdump
2004-03-30 14:17 firewall + tcpdump Peggy Kam
@ 2004-03-30 14:37 ` Antony Stone
2004-03-30 15:16 ` Peggy Kam
0 siblings, 1 reply; 5+ messages in thread
From: Antony Stone @ 2004-03-30 14:37 UTC (permalink / raw)
To: netfilter
On Tuesday 30 March 2004 3:17 pm, Peggy Kam wrote:
> Hi,
>
> Does tcpdump dumps traffic on a network in front or behind a firewall?
Not sure quite what you by "in front or behind", however I can tell you that
tcpdump works "closer to the wire" than netfilter, so it will see all traffic
hitting the interface, whether netfilter allows it or not.
> If it dumps traffic in front of a firewall, would anyone kindly suggest
> a way to test the firewall?
Um, test it by sending packets which should be allowed, and making sure they
are, then sending ones which should be blocked, and making sure they are?
Or have I misunderstood the question? How would you propose to use tcpdump
to test the firewall anyway?
Regards,
Antony.
--
You can spend the whole of your life trying to be popular,
but at the end of the day the size of the crowd at your funeral
will be largely dictated by the weather.
- Frank Skinner
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: firewall + tcpdump
2004-03-30 14:37 ` Antony Stone
@ 2004-03-30 15:16 ` Peggy Kam
2004-03-30 15:25 ` DCulp
2004-03-30 15:50 ` Antony Stone
0 siblings, 2 replies; 5+ messages in thread
From: Peggy Kam @ 2004-03-30 15:16 UTC (permalink / raw)
To: netfilter
As you have said that all traffic hitting the interface is seen whether
netfilter allows it or not, my question was how do I know whether the
packets being sent get blocked?
>Not sure quite what you by "in front or behind", however I can tell you that
>tcpdump works "closer to the wire" than netfilter, so it will see all traffic
>hitting the interface, whether netfilter allows it or not.
>
>
>
>>If it dumps traffic in front of a firewall, would anyone kindly suggest
>>a way to test the firewall?
>>
>>
>
>Um, test it by sending packets which should be allowed, and making sure they
>are, then sending ones which should be blocked, and making sure they are?
>
>Or have I misunderstood the question? How would you propose to use tcpdump
>to test the firewall anyway?
>
>Regards,
>
>Antony.
>
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: firewall + tcpdump
2004-03-30 15:16 ` Peggy Kam
@ 2004-03-30 15:25 ` DCulp
2004-03-30 15:50 ` Antony Stone
1 sibling, 0 replies; 5+ messages in thread
From: DCulp @ 2004-03-30 15:25 UTC (permalink / raw)
To: Peggy Kam; +Cc: netfilter
Peggy,
Enable logging within your rules , and then check the log files.
David
Peggy Kam
<ppkam@n-dsi.com>
Sent by: To
netfilter-admin@l netfilter@lists.netfilter.org
ists.netfilter.or cc
g
Subject
Re: firewall + tcpdump
03/30/04 10:16 AM
As you have said that all traffic hitting the interface is seen whether
netfilter allows it or not, my question was how do I know whether the
packets being sent get blocked?
>Not sure quite what you by "in front or behind", however I can tell you
that
>tcpdump works "closer to the wire" than netfilter, so it will see all
traffic
>hitting the interface, whether netfilter allows it or not.
>
>
>
>>If it dumps traffic in front of a firewall, would anyone kindly suggest
>>a way to test the firewall?
>>
>>
>
>Um, test it by sending packets which should be allowed, and making sure
they
>are, then sending ones which should be blocked, and making sure they are?
>
>Or have I misunderstood the question? How would you propose to use
tcpdump
>to test the firewall anyway?
>
>Regards,
>
>Antony.
>
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: firewall + tcpdump
2004-03-30 15:16 ` Peggy Kam
2004-03-30 15:25 ` DCulp
@ 2004-03-30 15:50 ` Antony Stone
1 sibling, 0 replies; 5+ messages in thread
From: Antony Stone @ 2004-03-30 15:50 UTC (permalink / raw)
To: netfilter
On Tuesday 30 March 2004 4:16 pm, Peggy Kam wrote:
> > Not sure quite what you by "in front or behind", however I can tell you
> > that tcpdump works "closer to the wire" than netfilter, so it will see
> > all traffic hitting the interface, whether netfilter allows it or not.
>
> As you have said that all traffic hitting the interface is seen whether
> netfilter allows it or not, my question was how do I know whether the
> packets being sent get blocked?
1. If it's a routing firewall, see if the packets come out the other side
(tcpdump on both interfaces).
2. If it's not a routing firewall, see if any response packets come back again
(for TCP).
3. Put a LOG rule in your ruleset just before DROPping the packets, so you
know what got DROPped.
4. If you're really interested in this sort of thing, you might want to
investigate http://www.snort.org
Regards,
Antony.
--
Abandon hope, all ye who enter here.
You'll feel much better about things once you do.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-03-30 15:50 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-30 14:17 firewall + tcpdump Peggy Kam
2004-03-30 14:37 ` Antony Stone
2004-03-30 15:16 ` Peggy Kam
2004-03-30 15:25 ` DCulp
2004-03-30 15:50 ` Antony Stone
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.