How do you go about analyzing protocols that we haven't discussed here? The first question to ask is: Do you really need to run the protocol across your firewall, or is there some other satisfactory way to provide or access the service desired using a protocol already supported by your firewall?
If you really need to provide a protocol across your firewall, and it's not discussed above, how do you determine what ports it uses and so on? While it's sometimes possible to determine this information from program or protocol documentation, the easiest way to figure it out is usually to ask somebody else, such as the members of the Firewalls mailing list.[54] (See Appendix A ).
[54] But make sure you check the archives first, to see if the question has already been asked and answered.
If you have to determine the answer yourself, the easiest way to do it is usually empirically. Here's what you should do:
Set up a test system that's running as little as possible other than the application you want to test.
Next, set up another system to monitor the packets to and from the test system (using etherfind or tcpdump or some other package that lets you watch traffic on the local network).
Run the application on the test system and see what the monitoring system records.
You may need to repeat this procedure for every client implementation and every server implementation you intend to use. There are occasionally unpredictable differences between implementations (e.g., some clients always use TCP , even though most DNS clients use UDP by default).