sunhux
asked on
ways/tools to check for ports required by applications (netstat -an?) to facilitate firewall rules creation
We ran into this problem from time to time :
the outsourced vendors/support staff (like application developers, CA Unicentre monitoring team
member) would request our firewall administrator to permit certain Tcp/Udp ports to be pass
through the firewall/Cisco switch.
Problem is :
the vendor/support staff themselves are often not 100% certain which Tcp/Udp ports their
application require & if the ports used by return traffic (In Cisco ACL, this is often done by
"permit ... established ..." which permit return traffic to come back through high ports).
Our firewall admin is green & would only do just the firewall permissioning. I have no access
to the firewall & the firewall admin told me the Sidewinder/Borderware do not have logs which
could give us any clue as to what Tcp/Udp ports the application is attempting to connect through
or return traffic uses.
Let's assume the firewall/Cisco network admin is not going to help (I know in Cisco ACL, we can
put one last rule in the ACL as "deny ip any any log" & that would log the denied traffic & we
can then issue "show log" to see the denied traffic - which the firewall/network guy won't do.
Is there anything I can do on the source & destination servers to establish which ports are
required? On Windows MSDos prompt or Linux OS level (of the source server), I thought
of issuing
netstat -an 1 | find "source_or_destination_IP_
& then on the source server, launch the application/command to make the connection &
the continuous "netstat" would reflect which port it's attempting to connect through.
For successful connections, "netstat -an" would show the status as "ESTABLISHED"
However, for Udp ports, don't think it will be shown as "ESTABLISHED", am I right? as
Udp is connectionless protocol?? Wou
Any script (that's rapidly/continously running) or free tools that I can run on the source &
destination servers that could help me determine which ports are the servers attempting
to connect to ?
Suppose the firewall admin finally allows me to gain a brief access to the firewall's Unix
command line, what command I can issue to find out the tcp ports, if any ?
If needed, I can possibly plug a notebook with ethereal in between but I'm totally green
with Ethereal - any simpler and free network port sniffer?
Very often, there's return traffic too & this needs to be sniffed out too, eg:
passive ftp initiated on Tcp port 20 from source & think high port needed for return traffic
ftp data used Tcp 21 (believe if it's get, it would be from destination to source while
if it's put, it would be from source to destination??)
My all time favorite in the days I'm a firewall admin is to create a universal rule(s) which
permit all Tcp/Udp ports between the source/destination & issue "netstat -an | grep addrs"
on both source/destination, remove the universal rule & create more restrictive rule(s).
the outsourced vendors/support staff (like application developers, CA Unicentre monitoring team
member) would request our firewall administrator to permit certain Tcp/Udp ports to be pass
through the firewall/Cisco switch.
Problem is :
the vendor/support staff themselves are often not 100% certain which Tcp/Udp ports their
application require & if the ports used by return traffic (In Cisco ACL, this is often done by
"permit ... established ..." which permit return traffic to come back through high ports).
Our firewall admin is green & would only do just the firewall permissioning. I have no access
to the firewall & the firewall admin told me the Sidewinder/Borderware do not have logs which
could give us any clue as to what Tcp/Udp ports the application is attempting to connect through
or return traffic uses.
Let's assume the firewall/Cisco network admin is not going to help (I know in Cisco ACL, we can
put one last rule in the ACL as "deny ip any any log" & that would log the denied traffic & we
can then issue "show log" to see the denied traffic - which the firewall/network guy won't do.
Is there anything I can do on the source & destination servers to establish which ports are
required? On Windows MSDos prompt or Linux OS level (of the source server), I thought
of issuing
netstat -an 1 | find "source_or_destination_IP_
& then on the source server, launch the application/command to make the connection &
the continuous "netstat" would reflect which port it's attempting to connect through.
For successful connections, "netstat -an" would show the status as "ESTABLISHED"
However, for Udp ports, don't think it will be shown as "ESTABLISHED", am I right? as
Udp is connectionless protocol?? Wou
Any script (that's rapidly/continously running) or free tools that I can run on the source &
destination servers that could help me determine which ports are the servers attempting
to connect to ?
Suppose the firewall admin finally allows me to gain a brief access to the firewall's Unix
command line, what command I can issue to find out the tcp ports, if any ?
If needed, I can possibly plug a notebook with ethereal in between but I'm totally green
with Ethereal - any simpler and free network port sniffer?
Very often, there's return traffic too & this needs to be sniffed out too, eg:
passive ftp initiated on Tcp port 20 from source & think high port needed for return traffic
ftp data used Tcp 21 (believe if it's get, it would be from destination to source while
if it's put, it would be from source to destination??)
My all time favorite in the days I'm a firewall admin is to create a universal rule(s) which
permit all Tcp/Udp ports between the source/destination & issue "netstat -an | grep addrs"
on both source/destination, remove the universal rule & create more restrictive rule(s).
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Any suggestions on what I can do on the source & destination servers,
even if it's less than ideal, would be most welcome.
If you have a freeware like "nmap" that can be run (without the need
to do installation on the servers), would be nice