Saturday, July 12, 2008

Firewall Testing (Hardening)

Here are some tools and techniques to test if your firewall is up to scratch:
Contains various test for the firewall including: port scanners, stealth testing, leak test and others.
For leak test, download PCFlankLeaktest.exe. This test tries to send some information out of your PC to the PCFlank site. The results are shown in

. According to PCFlank, only Outpost Firewall Pro and Tiny Personal Firewall pass the leaktest. At PCKingsford, we have tried the FREE Comodo Firewall Pro (CFP) and this works. If it fails, you just need to be sure that you have not tell CFP to ALLOW it. To check whether an application is allowed in CFP, open up the CFP, go to the Defense+ on top, then go to the Advanced tab on the left menu, then click Computer Security Policy. Look for the application name and edit the rules for it.

2. ShieldsUp at
Click on Services tab on the website, then select ShieldsUp. Follow the instruction to test your firewall via this website. The tests include:
File Sharing
Common Ports
All Service Ports
Messenger Spam
Browser Helpers

3. Leaktest 1.2 at This is one of the original firewall leaktest program that started it all.

4. Firewall Leak Tester -
This is a one-stop shop for leak tester programs you can use to test your software. It has over 26 leak testers. The website published results comparing various firewalls but note that the comparison was done in 2006 so that may have been outdated. You can always download the leak testers and test individually.
Other leak testers are:

(this article can be seen at

5. Testing exploits to PC. - simulates Denial of Service attacks on your system.

6. Question on "How Does a Router Protect?" has some answers here:

7. Linux - IPTABLES
For Linux users, the software firewall IPTABLES allow maximum configurability.
More details can be found in the "Linux Firewall" section in:

A list of simple rules is given here as an example  for
Super Stealth mode
iptables -P INPUT DROP
iptables -F
iptables -X
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
Once you've executed them, use this command for the stealth config to stick:
service iptables save

The above rules are quite strict. For simple web browsing, try this:
Basic Web Browsing mode
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables-save > /etc/sysconfig/iptables

then to restart:
service iptables save
service iptables start

Links to IPTABLES configuration:

No comments: