How to test firewall connectivity?

Assuming that the services are "listening" on the destination servers using a TELNET client to test TCP connectivity is a perfectly valid method. You can use a tool like "netcat" if you want to get even more bare-bones. You're just testing up the stack to TCP this way. You can't guarantee that the layer 7 protocol is actually working w/o doing more.

If you want layer 7 verification, use a client program for each of the protocols in question and attempt to perform some type of client / server interaction from the machines that will be sourcing the connections.

As always, if you're in doubt about whether your traffic is making it where you'd expect it to go I'd recommend using a sniffer (tcpdump, Wireshark, etc) to verify that the packets really are ending-up where you expect them to. There's no substitute for watching the bits on the wire.


It really depends on what level of verification you're looking for. For most simple single port TCP services (such as those listed), you just need to verify that the port is open and accepting connections. The easiest method would be to use nmap. Specific syntax for checking the ports mentioned would be:

nmap -p 22,80,636 192.168.1.1

And would return a result along the lines of:

Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-24 16:20 CST
Interesting ports on 192.168.1.1:
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
636/tcp closed ldapssl

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

If the firewall were blocking any of those ports, the STATE returned would be filtered instead of open or closed.

That only verifies the firewall rules, though. It doesn't verify that the service is necessarily running on the port, or that it is operating correctly. For that, you'd have to run a check that understood the service you were checking.


this is an old question, but if anyone needs to do a test of their firewall, I wrote a tool called fcat (firewall cat), its used to open up a range of ports on server A

on Server B, you can use fcat to connect to that range on A and see which ports are being blocked by the firewall

the reason I created it, is because you can easily scan for open ports with nmap, but I couldnt find an easy way to spin up port listeners without using some sort messy bash loop

Fcat

https://github.com/perfecto25/fcat

fcat makes this much simpler,

examples,

on Host A

hostA> fcat -p 1500,1900,21000-21500  (will open ports 1500,1900 and every port in 21000-21500 range)

# can also bind to specific IPs or iface names
hostA > fcat -p 2000,3400-3500,27000-27150 -i 192.168.35.2 
hostA > fcat -p 2000,3400-3500,27000-27150 -i em1

on Host B

hostB > fcat conn -h hostA -p 21000-21500 (will test basic TCP connection to this port range)