Traffic flow through firewall simulation



  • Hi.

    we've migrated from Forefront TMG 2010 to pfSense. It's really cool and robust enough, but we are missing one feature. In TMG, when there was a problem with rules on the firewall, we were able to test it by simulator - that means we were able to enter source IP, destination IP and port and than TMG showed us the flow through the firewall and the rule, that allow or deny the tested traffic. Is it possible to do similar troubleshooting in pfSense? I cannot find it anywhere in the menu. If not, what are the possibilities of firewall troubleshooting?

    Thanks
    George


  • Netgate

    No. Cisco ASAs have packet-tracer that does the same thing. It's really cool.

    But I know of nothing similar for pf, unfortunately. Would love to be corrected here.

    Quick example:

    ASA2# packet-tracer input inside tcp 172.25.248.100 12345 172.25.232.1 80 
    
    Phase: 1
    Type: ACCESS-LIST
    Subtype: 
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside
    
    Phase: 3
    Type: NAT
    Subtype: 
    Result: ALLOW
    Config:
    nat (inside,outside) source dynamic any interface description Default NAPT Overload
    Additional Information:
    Dynamic translate 172.25.248.100/12345 to 172.25.228.20/12345
    
    Phase: 4
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:
    
    Phase: 5
    Type: IP-OPTIONS
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    
    Phase: 6
    Type: NAT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    nat (inside,outside) source dynamic any interface description Default NAPT Overload
    Additional Information:
    
    Phase: 7      
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:
    
    Phase: 8
    Type: IP-OPTIONS
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    
    Phase: 9
    Type: FLOW-CREATION
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 39896, packet dispatched to next module
    
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: allow