On 08/19/08 13:12, Tony Nguyen wrote: > Paul Wernau wrote: > >>> - One of the big high-level problems with IP Filter (as it is with >>> _all_ firewall software) is visualizing how the rules perform. >>> That is, being able to ask "what if?" questions concerning traffic >>> from other hosts. (Something like: "which rules would match if I >>> received a TCP SYN packet for destination address a.b.c.d and port >>> 25 from host foo.bar.com, and what would be the resulting action >>> taken by the system?") >>> >>> As someone who uses this stuff frequently, this is often a sore >>> point. It can be hard to determine whether you've gotten >>> everything just right unless you log into some remote system and >>> start attacking your original machine. >>> >>> Would it be possible to have something like "tcpdmatch" for this >>> tool? >>> >>> >> There is an undocumented tool that is bundled with IP Filter called >> "ipftest". It is used by various test suites (both in the general open >> source version and the OpenSolaris version) to do this sort of rule >> logic testing. It can take various types of input, etc. >> >> It's kind of clunky - input -> rules -> results, and used in the suites >> to compare expected vs actual. >> >> I'm not positive that this is exactly what you're asking for, but it >> certainly is the underpinnings. >> >> /usr/lib/ipf/ipftest -> isaexec'd >> >> > > Thanks Paul. I'll take a look at ipftest. >
If you're looking for clues on how to drive this, look in the test gate - /ws/onnv-stc2-clone/src/suites/net/ipfilter/legacy/[1]. The directory regress is the rules tested, input the input to test the rules with and expected is what it endevours to produce. The only real dilemma is that stdin can't be used as the input for both rules and "packets". There is a collection of scripts to drive it all... Darren [1] if you're not on SWAN, you won't be able to see it as not all of STC2 is on Opensolaris, but you can find the equivalent files on sourceforge: http://ipfilter.cvs.sourceforge.net/ipfilter/ipfilter/test/ -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/security-discuss/attachments/20080820/0ceef9fb/attachment.html>
