We help IT Professionals succeed at work.

ways/tools to check for ports required by applications (netstat -an?) to facilitate firewall rules creation

678 Views
Last Modified: 2008-08-14
We ran into this problem from time to time :

the outsourced vendors/support staff (like application developers, CA Unicentre monitoring team
member) would request our firewall administrator to permit certain Tcp/Udp ports to be pass
through the firewall/Cisco switch.

Problem is :
the vendor/support staff themselves are often not 100% certain which Tcp/Udp ports their
application require & if the ports used by return traffic (In Cisco ACL, this is often done by
"permit ... established ..." which permit return traffic to come back through high ports).

Our firewall admin is green & would only do just the firewall permissioning.  I have no access
to the firewall & the firewall admin told me the Sidewinder/Borderware do not have logs which
could give us any clue as to what Tcp/Udp ports the application is attempting to connect through
or return traffic uses.

Let's assume the firewall/Cisco network admin is not going to help (I know in Cisco ACL, we can
put one last rule in the ACL as "deny ip any any log"  & that would log the denied traffic & we
can then issue "show log" to see the denied traffic - which the firewall/network guy won't do.

Is there anything I can do on the source & destination servers to establish which ports are
required?  On Windows MSDos prompt or Linux OS level (of the source server), I thought
of issuing
   netstat -an 1 | find "source_or_destination_IP_address"
& then on the source server, launch the application/command to make the connection &
the continuous "netstat" would reflect which port it's attempting to connect through.

For successful connections, "netstat -an" would show the status as "ESTABLISHED"

However, for Udp ports, don't think it will be shown as "ESTABLISHED", am I right? as
Udp is connectionless protocol??  Wou

Any script (that's rapidly/continously running) or free tools that I can run on the source &
destination servers that could help me determine which ports are the servers attempting
to connect to ?

Suppose the firewall admin finally allows me to gain a brief access to the firewall's Unix
command line, what command I can issue to find out the tcp ports, if any ?

If needed, I can possibly plug a notebook with ethereal in between but I'm totally green
with Ethereal - any simpler and free network port sniffer?

Very often, there's return traffic too & this needs to be sniffed out too, eg:
passive ftp initiated on Tcp port 20 from source & think high port needed for return traffic
ftp data used Tcp 21 (believe if it's get, it would be from destination to source while
   if it's put, it would be from source to destination??)

My all time favorite in the days I'm a firewall admin is to create a universal rule(s) which
permit all Tcp/Udp ports between the source/destination & issue "netstat -an | grep addrs"
on both source/destination, remove the universal rule & create more restrictive rule(s).
Comment
Watch Question

Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:

Any suggestions on what I can do on the source & destination servers,
even if it's less than ideal, would be most welcome.

If you have a freeware like "nmap" that can be run (without the need
to do installation on the servers), would be nice
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.