Verifying a Firewall with Hping

When things go wrong on the network, people will usually blame the firewall, even without having in-depth knowledge of the problem. More often than not a problem will arise without any configuration changes to infrastructure devices, usually the change will be a mistake with a server configuration, etc.

Figure 1, Simple Firewall Topology

Figure 1, a simple network configuration, it consists of two machines, one client machine inside, one server in the DMZ, and a firewall. We will verify the functionality of the firewall, both connectivity and policy enforcement using a Unix command line tool by the name of Hping. Hping lets you build custom packets from the command line, exactly what we need for testing a firewall.

For example, lets say we have a web server in the DMZ, but users are complaining that they can’t connect to the web server from the outside firewall, and are blaming the firewall. We can perform a simple test from outside to verify that traffic is able to hit port 80 on the web server.

$ sudo hping3 --syn --destport 80 --count 3 192.168.0.10
HPING 192.168.0.10 (en1 192.168.0.10): S set, 40 headers + 0 data bytes
len=46 ip=192.168.0.10 ttl=64 id=3676 sport=80 flags=RA seq=0 win=0 rtt=1.7 ms
len=46 ip=192.168.0.10 ttl=64 id=3677 sport=80 flags=RA seq=1 win=0 rtt=1.2 ms
len=46 ip=192.168.0.10 ttl=64 id=3678 sport=80 flags=RA seq=2 win=0 rtt=1.2 ms

--- 192.168.0.10 hping statistic ---
3 packets tramitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.2/1.4/1.7 ms

From the results, we can see that our TCP packet with the SYN flag does hit the web server and responses with a reset packet. So, we know that the initial packet is passing through the firewall without problems, but the web server denies the connection for reasons unknown.

Send an ICMP Echo Request to the inside host address, if it’s not being NAT’d, or the static outside NAT address, this will verify that the firewall is forwards packets correctly and performing NAT, if configured to do so.

$ sudo hping3 --icmptype 8 192.168.2.10
HPING 192.168.2.10 (en1 192.168.2.10): icmp mode set, 28 headers + 0 data bytes
len=28 ip=192.168.2.10 ttl=64 id=940 icmp_seq=0 rtt=1.5 ms
len=28 ip=192.168.2.10 ttl=64 id=941 icmp_seq=1 rtt=1.5 ms
len=28 ip=192.168.2.10 ttl=64 id=942 icmp_seq=2 rtt=1.6 ms

--- 192.168.2.10 hping statistic ---
3 packets tramitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.5/1.5/1.6 ms

These basic, yet often over looked tests can verify that the firewall is performing its job, and not the cause of the problem the users keep complaining about.

Jan 8th, 2011 • Posted in ASA, Troubleshooting
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>