Theory-filtering-4: (0.02) (potato)
	Notions of packet filtering (IV) -offline test witn IP alias-

0.02 26/10/02 first translation & alias lo:0 instead of eth0:0


Content summary:
--------------------
Offline testing
    Configure IP alias
    nmap scaning
    Other tests
    To see rules (and packet and byte counting-up)
    To see forbiden rules log
    MORE INFO



Offline testing

	It is possible to test my firewall-easy firewall disconnected from
	Internet, and without need to establish a ppp connection, this is
	possible thanks to the fact this firewall is designed for that ;-)


    Configure IP alias

	I suggest an IP alias of e.g.: 1.1.1.1, to avoid private range deny
	rules forbid you to test the other rules...

	1) Add to /etc/network/interfaces:
---8<---

# IP alias (another IP to ear in the same interface)
# ---ALWAYS has to be after the initialization of the real interface---

iface lo:0 inet static
	noauto
	address 1.1.1.1
	netmask 255.255.255.0
	network 1.1.1.0
	broadcast 1.1.1.255
--->8---

	"noauto" prevents the interface being up in the start of the system
	(where it is done "ifup -a") and we can up and down it by hand 


	2) Run:
	    ifup lo:0		# to activate alias now
	    ifconfig		# to verify lo:0 exists
	    ifdown lo:0		# to deactivate alias
	    ifconfig		# to verify lo:0 does not exist



    nmap scaning

	nmap -S 1.1.1.1 -P0 -sT -sU -v -p 22 1.1.1.1
	    # -S = force output IP to 1.1.1.1 (needed for udp, if not it uses
	     127.0.0.1 and get blocked by antispoof rules)
	    # -P0 = Do not do ping
	    # -sT = tcp scanning
	    # -sU = udp scanning
	    # -v = be verbose
	    # -p = port to scan, ranges as: 1-1024


	WARNING: scanning is going to be _VERY_ slow, this is because firewall
	 works well and it is invisible and it does not return anything forcing
	 timeout waitings

	Do not belive when nmap says "open", see the counters of the rules
	and the log files and you will see the packets were forbiden :-)
    


    Other tests

	ping 1.1.1.1
	ssh 1.1.1.1
	telnet 1.1.1.1
	telnet 1.1.1.1 80	# We try to enter in the port tcp 80 (www)
	nmap -S 1.1.1.1 -P0 -sT -sU -v -p 20022 1.1.1.1   # high tcp/udp test



    To see rules (and packet and byte counting-up)

	ipchains -L -n -v		# kernel 2.2
	iptables -t filter -L -n -v	# kernel 2.4



    To see forbiden rules log

	cat /var/log/messages



    MORE INFO

        IP Aliasing:	Net-HOWTO ("IP Aliasing" section)

	man ifup		# ifup command man page
	man interfaces		# interfaces file format
