Running ft6

This section lists the requirements and provides a walk-through of a simple ft6 test session.

Requirements

You need to have the following software on both your client and server machine [1]:

  • Python. The programming language ft6 was written in. ft6 should work with versions 2.5 and above. Our developement version was 2.7.3 and was installed using:

    $ apt-get install python2.7

    See http://www.python.org for further instructions.

  • PyQt4. Bindings for Qt4, the framework for the graphical user interface. Our developement version was 4.9.3-4 and was installed using:

    $ apt-get install python-qt4

    See http://www.riverbankcomputing.co.uk/software/pyqt/intro for further instructions.

  • Scapy. The framework for network package creation and manipulation. Our developement version was 2.2.0. Note: Scapy’s website incorrectly links scapy-2.1.0 as the “latest release”. To download and install scapy-2.2.0 manually you do:

    $ wget http://www.secdev.org/projects/scapy/files/scapy-2.2.0.tar.gz
    $ tar xvfz scapy-2.2.0
    $ cd scapy-2.2.0
    $ sudo python setup.py install

    See http://www.secdev.org/projects/scapy for further instructions.

  • ft6. The firewall tester for IPv6. If you are reading this document, chances are that you’ve already downloaded ft6. If not, type:

    wget www.ipv6-ids.de/files/ft6-1.0.tar.gz
    tar xvfz ft6-1.0.tar.gz
    cd ft6-1.0

    You can run the python scripts without any installation. A privileged account is needed for scapy to create network packets.

That’s it! Now you should be ready to run ft6. To verify your installation you can try:

$ python
[...]
>>> import PyQt4
>>> (Ctrl-D to exit)

$ scapy
>>> (Ctrl-D to exit)

If no errors occured and the version numbers reported by python and scapy are correct you are done.

Setting Up

  • Have a machine on the internal side of your network. We’ll call this machine S.

  • Have a machine on the external side of your network. We’ll call this machine C.

  • Make sure that only the firewall lies between C and S. Other devices might interfere.

  • On S, start the server application:

    $ sudo ./ft6-server.py

    You can specify the IPv6 address and the the server should listen to via:

    $ sudo ./ft6-server.py <address> <port>

    Alternatively, the program will try to figure out the available IPv6 addresses and ask you to choose one.

  • On C, start the client applicatipon:

    $ sudo ./ft6-client.py

    No command line arguments required. You will see a user interface like this:

The graphical user interaface of ft6.

Running

  • Fill in the correct information. On our network, the server is listening to 2001:2:2::b, so we enter that into the target address field. For testing Multicast Listener Discovery, ft6 needs the link-local addresses of the client’s and server’s network interface. You can determine these using ifconfig or a similar tool. Look for lines that say “inet6” and “Scope:Link”.

    We’re well aware of how painful this is and are currently thinking about ways to automate this step. Sorry.

  • Enter the ports that ft6 should use. All communication will use the open port. When testing fragmenting attacks ft6 tries to connect to a port that’s not permitted by the firewall. Enter anything you think your firewall blocks into the field called closed port.

  • Select what tests to run by ticking or unticking the checkboxes, then press Start. You are now testing your firewall. Running all tests should take less than 5 minutes. Some tests take longer than others, give them some time. Watch the statusbar at the bottom of the interface and don’t surrender early.

The graphical user interface of ft6 with the statusbar stating that the tiny-fragments test will take slightly more that two minutes
  • The Results box will become populated with results that are already finished. They are color-coded so you can easily see where your firewall is having trouble. You can click the items in the box to show details.
The details window of ft6. It shows one entry for each packet and says whether the packet was forwarded or dropped. It also shows a color-coded representation of whether dropping or forwarding was correct or not.
  • You see an entry for each network packet ft6 sent. Each item shows you two things:
    1. It tells you what action the firewall performed, i.e. whether the firewall dropped the packet or forwarded it. It says so in the description text.
    2. It tells you whether that action was correct or incorrect. This is reflected by the coloring of the item. As you might imagine, green stands for “correct”, red stands for “incorrect” and yellow stands for “technically correct, but pretty strange, did you really want your firewall to behave that way?”
  • Once all tests have completed you can click create logfile, which will write the result of every test into a textfile in ft6’s working directory, named ft6-report-<currentDateAndTime>.txt. That concludes your firewall test session.
[1]Note: If you are using the aptitude based packet management like we do we recommend to run apt-get update first.

Table Of Contents

Previous topic

Introduction

Next topic

Understanding the tests

This Page