Is there a method for determining if a particular entry(s) in a network trace are being blocked by ACLs? If so, can you help me identify where in the trace it would show the packet being rejected/blocked? For example, we've written ACLs to prevent traffic on certain ports directed toward a particular host. In the network trace I see the client and host entries on the defined ports. But i can't tell if they are being blocked. We do see the counters on our firewall going up, so that's a good inidcating our ACL is working. But was hoping wireshark would somehow confirm the traffic is being blocked. Please let me know if I can provide a better example or further information. Appreciate the help. asked 09 Mar '12, 04:17  sdeb |
One Answer:
<trivial mode> If you can only capture packets on one side of the connection, then you could deduct some information about the ACL's, but you are never sure. For instance, capturing on the client side of the filtering device could show you SYN packets being sent, but no SYN/ACK coming back. This could be due to the ACL, but also due to a routing problem, the server not being up, etc. answered 09 Mar '12, 04:37  SYN-bit ♦♦ edited 09 Mar '12, 04:38 |
