[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: testing an OpenBSD ipf bridge using a second computer
From:       Clayton Fiske <clay () bloomcounty ! org>
Date:       2000-12-20 19:14:48
[Download RAW message or body]

On Wed, Dec 20, 2000 at 07:11:36PM +0100, Wolfram Abesser wrote:
> 
> 
> Nick Evans wrote:
> > 
> > You're putting two, bridging logical firewalls in one box? I've done this
> > before. Let me know what you need.
> 
> I set up an one box as an "invisible" ipfilter brigde with no IP
> adresses assigned to the NICs.
> this box should go between our router to the ISP and our DMZ.
> But before I put into service in, i'd like to test this bridge with a
> second computer containing another two NICs.
> This computer (called test in the graph) should just send packets
> out of one of its interfaces to the brigde and listen for any packets
> which where passed through (or blocked by) the bridge and
> arrived at "the other side".
> The idea is to test the bridge as a block box rather than just checking
> its rules internally.

One thing you might consider trying is to set the test box as follows:

1. Make sure forwarding is off on the test box

2. Give only one of the interfaces on the test box an IP that you wish
test, and make the other an unrelated IP.

3. Set a default route via that interface (this may take some tricks)

4. Send any traffic you wish to test, and listen for it on the other
interface.

Assuming you can get it to point default at that interface without having
to have a reachable gateway IP, you should be able to test packet flow
in one direction at a time at least. Obviously this won't really help you
test stateful 2-way traffic filtering, but for basic rule tests it should
work.

-c

[prev in list] [next in list] [prev in thread] [next in thread]