System administration 2: Firewall rules troubleshooting

The following is a list of common practices for troubleshooting firewall rules that have been implemented for a server’s connectivity to another endpoint.

Confirm Firewall rules Implementation

Operating system Level connectivity test on established ports from source server/firewall to destination server/firewall. Test should verify routing, network address translation, ports, and URLs where applicable.

If there is no connectivity, follow steps below for troubleshooting procedures.

Check Security Configuration (if applicable)

Ensure SSL certificate trust in place and/or certificate exchanges installed and in place (e.g. 1-way, 2-way SSL certificates installed, and destination network can see successful SSL handshakes)

Preliminary Application Interface Test (Depends on application availability)

Source server generates a test message to be received on the destination server interface and source confirms a valid response. Test confirms URL in place and basic messaging interface is available.

Network connectivity troubleshooting on server

1. Test Connectivity on source server(s)

a. Initial test by server operator:
Telnet to destination IP via destination port. If IPs are using network address translation (NAT), choose the appropriate IP from source server – the IP the firewall sees and translates from the source server.

b. If telnet fails:
Check if static routing is done in source server routing table. Make sure routing goes to the correct default gateway and ping default gateway to check if it  works (e.g. netstat -rn to check IP configuration on server and /usr/sbin/ping ).

c. If server routing table is ok:
Conduct the telnet test while having network resources monitor firewalls between source and destination points.

d. If traffic is not picked up on firewall:
Check points along the network path. If possible trace the network route. Traffic bound for the destination address should be monitored in case source server IPs are not seen on the firewall.

e.g. Use /usr/sbin/traceroute to destination server and check for default gateway (assuming devices along the way do not have ICMP blocked)

2. Check Network configuration

a. If firewalls are picking up traffic but there is still no connectivity:

Network resources should check:

  1. Verify destination and source IPs in firewall rules.
  2. Check static routes, host files, address resolution protocols, VPN configurations, and other network routing configurations.
  3. If network address translation is being used, check that translation for source and destination addresses are done properly.

Random thought:

RAM disk is not an installation procedure.  ~Author Unknown


By Justin Tung

Servant of the public as a communications and IT jack of all trades. Always willingly to fundraise and volunteer for the greater good.


Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: