> > - One of the big high-level problems with IP Filter (as it is with > _all_ firewall software) is visualizing how the rules perform. > That is, being able to ask "what if?" questions concerning traffic > from other hosts. (Something like: "which rules would match if I > received a TCP SYN packet for destination address a.b.c.d and port > 25 from host foo.bar.com, and what would be the resulting action > taken by the system?") > > As someone who uses this stuff frequently, this is often a sore > point. It can be hard to determine whether you've gotten > everything just right unless you log into some remote system and > start attacking your original machine. > > Would it be possible to have something like "tcpdmatch" for this > tool? >
There is an undocumented tool that is bundled with IP Filter called "ipftest". It is used by various test suites (both in the general open source version and the OpenSolaris version) to do this sort of rule logic testing. It can take various types of input, etc. It's kind of clunky - input -> rules -> results, and used in the suites to compare expected vs actual. I'm not positive that this is exactly what you're asking for, but it certainly is the underpinnings. /usr/lib/ipf/ipftest -> isaexec'd -Paul
