Comments on: FWAuto v1.1 – Firewall Auditing & Ruleset Analyzer Tool http://www.darknet.org.uk/2008/07/fwauto-v11-firewall-auditing-ruleset-analyzer-tool/ Ethical Hacking, Penetration Testing & Computer Security Sun, 08 Nov 2009 07:15:43 +0000 http://wordpress.org/?v=2.8.5 hourly 1 By: zupakomputer http://www.darknet.org.uk/2008/07/fwauto-v11-firewall-auditing-ruleset-analyzer-tool/#comment-124079 zupakomputer Tue, 22 Jul 2008 11:08:12 +0000 http://www.darknet.org.uk/?p=889#comment-124079 Look who popped up during a scan of the aforementioned B block - and they 'just happen' to have exactly the same services running on the same ports, http://centralops.net/co/DomainDossier.aspx?addr=218.10.111.106&dom_dns=true&dom_whois=true&net_whois=true&go=Submit Look who popped up during a scan of the aforementioned B block – and they ‘just happen’ to have exactly the same services running on the same ports,

http://centralops.net/co/DomainDossier.aspx?addr=218.10.111.106&dom_dns=true&dom_whois=true&net_whois=true&go=Submit

]]> By: zupakomputer http://www.darknet.org.uk/2008/07/fwauto-v11-firewall-auditing-ruleset-analyzer-tool/#comment-124073 zupakomputer Mon, 21 Jul 2008 16:03:08 +0000 http://www.darknet.org.uk/?p=889#comment-124073 Regarding firewalls - found two unrelated websites become unloadable when running a Firestarter config. Other sites were fine. But the interesting part being - the same IP B block showed up as loading alongside the various traffic on those two websites when the firewall was turned off. And it only shows up the first time you try to connect - cache emptying is needed (if the browser saves the pages)to get it to show up again....which made me think 'DNS then' - but, why only on pages that can't get by the firewall? So of course I had to see who that was, and the router trace won't go past 15 hops which just gets you the info you had already, that it belongs to a big B block of IPs (24.64.*.*) and only some vague ARIN info on the owner details of that and a bunch of other IP blocks. What does this smell like - both sites could certainly be having their visitors monitored given what kind of sites they were (hacking, and ecology / green), but it definitely sounds dodgy to me - the same unexact-traceable IP block shows up in both, and both can't get past a standard firewall config - somones thar is doing some probing and they don't want to be probed back themselves. I think that calls for some How Not To Be Seen treatment going their way. Two e-mail providers don't get past the firewall either, which in some ways sounds ok because you're logging in - but it's the login screens that get blocked. And guess what IP block shows up on one of them. & it just showed up again right before my connection dialed off. Always different host numbers each time it shows up. And also since I began writing this - the firewall is now blocking all webpages, on the same setting that was fine for them before (see above) - and that IP block 24.64.*.* is showing up again. What does a high-speed Canadian internet company have to do with my firewall settings? It connects directly to my ISP with ICMP and UDP traffic. Regarding firewalls – found two unrelated websites become unloadable when running a Firestarter config. Other sites were fine. But the interesting part being – the same IP B block showed up as loading alongside the various traffic on those two websites when the firewall was turned off. And it only shows up the first time you try to connect – cache emptying is needed (if the browser saves the pages)to get it to show up again….which made me think ‘DNS then’ – but, why only on pages that can’t get by the firewall?

So of course I had to see who that was, and the router trace won’t go past 15 hops which just gets you the info you had already, that it belongs to a big B block of IPs (24.64.*.*) and only some vague ARIN info on the owner details of that and a bunch of other IP blocks.

What does this smell like – both sites could certainly be having their visitors monitored given what kind of sites they were (hacking, and ecology / green), but it definitely sounds dodgy to me – the same unexact-traceable IP block shows up in both, and both can’t get past a standard firewall config – somones thar is doing some probing and they don’t want to be probed back themselves. I think that calls for some How Not To Be Seen treatment going their way.

Two e-mail providers don’t get past the firewall either, which in some ways sounds ok because you’re logging in – but it’s the login screens that get blocked. And guess what IP block shows up on one of them.

& it just showed up again right before my connection dialed off. Always different host numbers each time it shows up.

And also since I began writing this – the firewall is now blocking all webpages, on the same setting that was fine for them before (see above) – and that IP block 24.64.*.* is showing up again.

What does a high-speed Canadian internet company have to do with my firewall settings? It connects directly to my ISP with ICMP and UDP traffic.

]]> By: Changlinn http://www.darknet.org.uk/2008/07/fwauto-v11-firewall-auditing-ruleset-analyzer-tool/#comment-124064 Changlinn Sun, 20 Jul 2008 23:03:29 +0000 http://www.darknet.org.uk/?p=889#comment-124064 Now if only they could do checkpoint too, it is supposedly the most common firewall in enterprise. Now if only they could do checkpoint too, it is supposedly the most common firewall in enterprise.

]]>