Again courtesy of darknet, I found ftester, a Perl tool for testing firewalls and IDSen. I figured I'd give it a quick test run.
All my security machines are FreeBSD, so I hoped to find it in ports - no such luck. Figuring I'd test from a machine in our firewall's untrusted zone to a machine that was, I grabbed the sources to there first. I lacked all the required Perl packages, but p5-Net-RawIP, p5-Net-PcapUtils (and its several dependencies), and p5-NetPacket are all in ports. I installed those on both machines using pkg_add -r. I also had a quick look at ftest and ftestd, didn't see anything in there that looked like it would hose me. I also changed the shebang line to call /usr/local/bin/perl - looks like at least one of my perl installs didn't make the links in /usr/bin for me.
I had a quick look at the README and set up an ftest.conf on source machine that looks something like this (IP addresses changed for "privacy"):
sourceip:1025:destip:1-1025:S:TCP:0
and ran ftestd on the dest machine:
dest# ./ftestd -i em0 -v
Firewall Tester sniffer v.1.0
Copyright (C) 2001-2006 Andrea Barisani andrea@inversepath.com
default system TTL =
replies TTL = 200
listening on em0
Then I let fly with ftest on the source machine:
source# ./ftest -f ftest.conf -v -d 0.01
Overriding command-line flags => flags: -d 0.01 -s 1
Overriding command-line flags => flags: -e ttl1 -p 4
Restoring command-line flags => flags: restore
1 - sourceip:1025 > destip:1 S TCP 0
lots more
1026 - sourceip:1025 > destip:3128 S TCP 0
source#
And the output on the dest machine looked like this:
22 - sourceip:1025 > destip:22 S TCP 0
113 - sourceip:1025 > destip:113 S TCP 0
407 - sourceip:1025 > destip:407 S TCP 0
(which gives away no information that we haven't already published, by the way). So at first glance, it appears to behave exactly as advertised; even if the IDS stuff doesn't work, it's still useful for seeing exactly what's sent vs what's received through a firewall or a proxy.