Traffic flow through firewall simulation
-
Hi.
we've migrated from Forefront TMG 2010 to pfSense. It's really cool and robust enough, but we are missing one feature. In TMG, when there was a problem with rules on the firewall, we were able to test it by simulator - that means we were able to enter source IP, destination IP and port and than TMG showed us the flow through the firewall and the rule, that allow or deny the tested traffic. Is it possible to do similar troubleshooting in pfSense? I cannot find it anywhere in the menu. If not, what are the possibilities of firewall troubleshooting?
Thanks
George -
No. Cisco ASAs have packet-tracer that does the same thing. It's really cool.
But I know of nothing similar for pf, unfortunately. Would love to be corrected here.
Quick example:
ASA2# packet-tracer input inside tcp 172.25.248.100 12345 172.25.232.1 80 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 3 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source dynamic any interface description Default NAPT Overload Additional Information: Dynamic translate 172.25.248.100/12345 to 172.25.228.20/12345 Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,outside) source dynamic any interface description Default NAPT Overload Additional Information: Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 39896, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow