Tuesday, February 24, 2009

Episode #2 - Looking at the Config of Built-In Firewall

Ed's netsh Kung Fu:

On a Windows box, show all ports allowed through the built-in firewall:

C:\> netsh firewall show portopening

Show all programs allowed to communicate through the built-in firewall:

C:\> netsh firewall show allowedprogram

Show all configuration options of built-in firewall:

C:\> netsh firewall show config

Gosh, I love the netsh command!

Paul's Comments:

On Linux, list all iptables firewall rules in all chains:

# iptables -t nat -nL
# iptables -t mangle -nL
# iptables -t filter -nL
# iptables -t raw -nL

I find it important to list out all chains in all tables so there are no rules that "hide" from you. Also, the "-n" is important to avoid reverse lookups that could take a long time to run. It would be nice to run in this in one command...

Hal's Comments:

Paul, you mean one command like this?

# for type in nat mangle filter raw; do iptables -t $type -nL; done


OK, maybe it's not strictly speaking one command, but it's at least one command line. :-) I also like using the "-v" option when dumping my iptables chains so that I can see the number of times a given rule and/or chain was triggered.

Paul's Comments:

Yes, that's exactly what I need! Often times during a penetration test, or even during normal systems administration troubleshooting, I want to see ALL the iptables rules. In a penetration test this is an information gathering exercise, in addition to gaining an understanding of how to communicate with the host we've compromised. For systems administration I will often setup iptables rules, either in place of or in addition to a network-based firewall. This command is useful to see the rules in all tables and chains to hunt down any connectivity issues.