Testing a Firewall against outgoing UDP ports
Solution 1
This tool will do it. You can enter the entire 1-65,535 UDP port range.
http://demo1.speedsight.com/applet.html
Solution 2
If you have a server available that you can target the scan against, you can use tcpdump or similar. This works by having a machine inside the firewall try and send a udp packet to a server outside the firewall on every port. The receiving server then records the packets it sees.
First make sure that all incoming UDP ports are forwarded to the server on the router (if it is not directly on the internet).
Then run tcpdump
tcpdump -i eth0 host <ip address of remote server> proto udp
The ip address of the remote server is whatever your IP appears to be after NAT through the firewall. There are services online to work out your public IP address.
Then from a device inside the firewall, use nmap:
nmap -sU <your server IP> -p 1-65536
The nmap
will tell you nothing, but the tcpdump
at the remote site will record every udp packet that came through the firewall.
Related videos on Youtube
CallumA
Updated on September 18, 2022Comments
-
CallumA over 1 year
I'm trying to test which outgoing ports are allowed through a firewall. At the moment I can do this for TCP by port scanning
portquiz.net
(which is a server with all TCP ports open) from inside however this won’t work for UDP.My setup is as follows:
Me (my device on local network) <-> NAT/Firewall <-> IPv4 Internet
So my question is, how can I test a firewall between me and the Internet to see which outgoing UDP ports I am able to connect to and use successfully?
For clarification I'm wanting to test every port (not any particular port) and returning a list of the ports that can successfully get through.
-
Paul about 9 yearsHi CallumA. This is asking for a service recommendation and so is off-topic. Consider rewording the question.
-
Paul about 9 yearsDo you have access to your own device externally?
-
CallumA about 9 years@Paul I'm not sure what you mean, the firewall (and NAT) means incoming connections are not allowed at all if that's it.
-
Paul about 9 yearsYou are testing outgoing connections, do you have something external you could target? This would be straightforward if you have your own machine on the internet you could use to listen for connections.
-
CallumA about 9 years@Paul Ahh, I see. Yes, I do have a server that could be used for this.
-
barlop about 9 yearsa server on the internet might require port forwarding. you could test on a server on your LAN. so installing cygwin and using the nc command something like
nc -ul 1234
and then on the computer whose outgoing firewall rule you are testing, donc -u 192.168.1.7 1234
-
-
Sourav Ghosh over 7 yearsThis test uses java applet. Latest chrome versions block java. use firefox.
-
DaveTheMinion almost 6 yearsDoes this utility exist in an offline form that could be used to scan ports on networks that use paywalls or something of that nature.
-
pabouk - Ukraine stay strong almost 3 yearsThere does not seem to be a web server on the address any more:
ncat -vv demo1.speedsight.com 80
---TCP connection requested to 34.195.111.169:80 (IOD #1) EID 8
---CONNECT TIMEOUT for EID 8 [34.195.111.169:80]
.