Nmap: Firewall configuration testing

This is the sixth in a series of tips on how to use Nmap in an enterprise network environment.

So far in this series, we've looked at how Nmap can be used for network mapping and port scanning.

    Requires Free Membership to View

In this tip we'll look at how Nmap can also be used to test the effectiveness of your firewall configuration.

One of the best ways to understand how your firewall handles uninvited traffic is to verify that its filters and rules are working as you anticipated. For example, one mistake many administrators make when creating rules for allowing traffic through their firewall is to trust traffic based simply on its source port number, such as DNS replies from port 53 or FTP from port 20. To test whether your firewall allows all traffic through on a particular port you can use most of Nmap's TCP scans, including the SYN scan, with the spoof source port number option (--source-port or abbreviated just to –g). Simply provide a port number, and Nmap will send packets from that port where possible. For example, the following command will run a FIN scan using a spoofed source port number of 25 (SMTP) saving the output to file firewallreport.txt.

nmap -sF -g 25 -oN firewallreport.txt www.yourorg.com

It's also worthwhile to test your firewall's ability to cope with fragmented traffic. Attackers often split up the TCP header over several packets to make it harder for packet filters and intrusion detection systems to detect an attack. While fragmented packets won't get past packet filters and firewalls that queue all IP fragments, many devices have queuing disabled by default to avoid a drop in performance. Just

More about Nmap

Read our previous tip on using Nmap to scan ports and services.

Learn how to install Nmap on Linux or Windows.

Learn why Nmap is a valuable tool.

add the -f option to set a scan to send fragmented IP packets.

When auditing your firewall, I recommend that you scan ports in numerical order (option -r) to make it easier to follow the traffic flow when analyzing the Nmap output files. However, when testing the effectiveness of firewalls and intrusion detection systems, use the default, which is a randomized port order, in addition to randomizing the order in which hosts are scanned by using the randomize-hosts option, which can be abbreviated to –rH. This, combined with slow timing options, which we will look at next week, will make any network monitoring devices you have work hard to detect the scan. An example command to test your network defences could be:

nmap -sS --scan-delay 500 -f -rH firewallreport.txt www.yourorg.com.

Once you have identified any unfiltered ports or other issues, you should review your firewall rules to ensure that access to all services is controlled, and that filters and rules are performing as intended. After changes are implemented, run Nmap again to check that your changes achieve the desired effect. Nmap offers many features for circumventing poorly implemented firewalls, so play the role of an attacker and find out whether your network defences can cope with FTP bounce scans, idle scans or fragmentation attacks.


  Nmap: A valuable open source tool for network security
  How to install and configure Nmap for Windows
  How to install and configure Nmap on Linux
  How to scan ports and services
  More port scanning techniques
 Firewall configuration testing
  Techniques for improving Nmap scan times
  Interpreting and acting on Nmap scan results
  Nmap parsers and interfaces
  Nmap and the open source debate

This was first published in July 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.