This section lists the requirements and provides a walk-through of a simple ft6 test session.
You need to have the following software on both your client and server machine [1]:
Python. The programming language ft6 was written in. ft6 should work with versions 2.5 and above. Our developement version was 2.7.3 and was installed using:
$ apt-get install python2.7
See http://www.python.org for further instructions.
PyQt4. Bindings for Qt4, the framework for the graphical user interface. Our developement version was 4.9.3-4 and was installed using:
$ apt-get install python-qt4
See http://www.riverbankcomputing.co.uk/software/pyqt/intro for further instructions.
Scapy. The framework for network package creation and manipulation. Our developement version was 2.2.0. Note: Scapy’s website incorrectly links scapy-2.1.0 as the “latest release”. To download and install scapy-2.2.0 manually you do:
$ wget http://www.secdev.org/projects/scapy/files/scapy-2.2.0.tar.gz
$ tar xvfz scapy-2.2.0
$ cd scapy-2.2.0
$ sudo python setup.py install
See http://www.secdev.org/projects/scapy for further instructions.
ft6. The firewall tester for IPv6. If you are reading this document, chances are that you’ve already downloaded ft6. If not, type:
wget www.ipv6-ids.de/files/ft6-1.0.tar.gz
tar xvfz ft6-1.0.tar.gz
cd ft6-1.0
You can run the python scripts without any installation. A privileged account is needed for scapy to create network packets.
That’s it! Now you should be ready to run ft6. To verify your installation you can try:
$ python
[...]
>>> import PyQt4
>>> (Ctrl-D to exit)
$ scapy
>>> (Ctrl-D to exit)
If no errors occured and the version numbers reported by python and scapy are correct you are done.
Have a machine on the internal side of your network. We’ll call this machine S.
Have a machine on the external side of your network. We’ll call this machine C.
Make sure that only the firewall lies between C and S. Other devices might interfere.
On S, start the server application:
$ sudo ./ft6-server.py
You can specify the IPv6 address and the the server should listen to via:
$ sudo ./ft6-server.py <address> <port>
Alternatively, the program will try to figure out the available IPv6 addresses and ask you to choose one.
On C, start the client applicatipon:
$ sudo ./ft6-client.py
No command line arguments required. You will see a user interface like this:
Fill in the correct information. On our network, the server is listening to 2001:2:2::b, so we enter that into the target address field. For testing Multicast Listener Discovery, ft6 needs the link-local addresses of the client’s and server’s network interface. You can determine these using ifconfig or a similar tool. Look for lines that say “inet6” and “Scope:Link”.
We’re well aware of how painful this is and are currently thinking about ways to automate this step. Sorry.
Enter the ports that ft6 should use. All communication will use the open port. When testing fragmenting attacks ft6 tries to connect to a port that’s not permitted by the firewall. Enter anything you think your firewall blocks into the field called closed port.
Select what tests to run by ticking or unticking the checkboxes, then press Start. You are now testing your firewall. Running all tests should take less than 5 minutes. Some tests take longer than others, give them some time. Watch the statusbar at the bottom of the interface and don’t surrender early.
[1] | Note: If you are using the aptitude based packet management like we do we recommend to run apt-get update first. |