Paul Wernau wrote: > >> >> - One of the big high-level problems with IP Filter (as it is with >> _all_ firewall software) is visualizing how the rules perform. >> That is, being able to ask "what if?" questions concerning traffic >> from other hosts. (Something like: "which rules would match if I >> received a TCP SYN packet for destination address a.b.c.d and port >> 25 from host foo.bar.com, and what would be the resulting action >> taken by the system?") >> >> As someone who uses this stuff frequently, this is often a sore >> point. It can be hard to determine whether you've gotten >> everything just right unless you log into some remote system and >> start attacking your original machine. >> >> Would it be possible to have something like "tcpdmatch" for this >> tool? >> > > There is an undocumented tool that is bundled with IP Filter called > "ipftest". It is used by various test suites (both in the general open > source version and the OpenSolaris version) to do this sort of rule > logic testing. It can take various types of input, etc. > > It's kind of clunky - input -> rules -> results, and used in the suites > to compare expected vs actual. > > I'm not positive that this is exactly what you're asking for, but it > certainly is the underpinnings. > > /usr/lib/ipf/ipftest -> isaexec'd >
Thanks Paul. I'll take a look at ipftest. -tony
