ipv6 firewall testing tool?
Shadow Hawkins on Wednesday, 13 December 2006 08:41:49
Hello!
I wonder if there are any publicly available testing tools for ipv6 firewalls. (ip6tables in my case) I am aware that there is a patch for nmap, but I'd prefer to have a web based testing tool, like http://www.grc.com (i know, i know...) or http://www.testadatorn.se (swedish site run by the swedish mail/telecom regulation board, that uses nessus and quite a large test suite, as well as tests for known security holes).
I am aware of the downside of using external testing, i.e. giving an external party the chance to find holes in your security, but I find it to be a good complement to running internal firewall tests, and it gives that warm fuzzy feeling having someone else confirm that firewall rules are doing what they should.
ipv6 firewall testing tool?
Shadow Hawkins on Wednesday, 13 December 2006 09:14:26
Hi :)
you could try patch nmap.[php|cgi] to use nmap over IPv6.
ipv6 firewall testing tool?
Shadow Hawkins on Tuesday, 23 January 2007 15:34:30
Thanks for the tip. I've already used it, and it works fine, apart from that it provides me with a view from within my subnet. It'd be nice to get the same view from outside the router to make sure I have not left any obvious cracks in the firewall. :)
I guess I can use an external machine I have access to, but then I run into the same problem I always do when testing externally, lack of privileges to run some tests and persuading the admin on that machine that my activities are legitimate. (In this case I think that will be possible apart from the privilege part)
On a related note, is there any links to pages with recommended ip6tables rules that I should take a look at? For now I have settled to allow ssh traffic between my machines, most ICMP, outbound http/https and not much else, and nmap seem to confirm this. Any other ports/protocols that should be allowed/disallowed in order to have ipv6 run smoothly?
ipv6 firewall testing tool?
Shadow Hawkins on Thursday, 25 January 2007 00:29:47
Hi there ;)
You can look for test addresses to block.
You should really care about each open
service in IPv6, since the time of nice
guys might soon be over.
And there are papers on creating IPv6
Viri out there.(1)
Also I guess you can set the Source IP (RTFM =:)
in nmap. So no other Server is needed for scanning.
Anyway some good Firewall Examples for the SixXS FAQ
shall be written by the wise.
1)Have not yet looked over it
Posting is only allowed when you are logged in. |