D-Link NetDefendOS User Manual page 120

This allows the remote hosts responsiveness to an incoming TCP connection to be established.
For testing UDP connectivity, use the -udp option with the -port option. The UDP message size
must also be specified using the -count option to specify the number of packets and the -length
option to specify each packet's length. For example:
gw-world:/> ping 10.6.58.10 -udp -port=53 -verbose -count=1 -length=30
Sending 30-byte UDP ping to 10.6.58.10:53 from 192.168.3.20:22307
using PBR table "main"
... using route "0.0.0.0/0 via ext, gw 192.168.3.1" in PBR table "main"
UDP Reply from 10.6.58.10:53 to :192.168.3.20:22307 seq=0 time=50 ms TTL=58
Ping Results: Sent: 1, Received:1, Loss: 0%, Avg RTT: 50.0 ms
Incoming Packet Simulation with -srcif
Instead of testing the responsiveness of a remote host, the NetDefendOS ping command can be
used to simulate an incoming ICMP ping message and thereby test the locally configured IP
rules/policies and routes. This is done by using the srcif option. For example:
gw-world:/> ping 10.6.58.10 -srcif=wan -verbose
This command will construct an ICMP packet with destination IP 10.6.58.10 and NetDefendOS will
behave as though the packet has arrived on the specified source interface (in this case, wan).
As the packet appears to arrive on the interface specified, the administrator can observe the
behavior of the configuration and which IP rules/policies and routes are triggered. The IP address
specified could be an actual host in which case the packet will be forwarded to it through the
firewall.
If there is no route that matches the combination of source IP and receiving interface (the -srcif
parameter), the packet it will be dropped by the default access rule. For example:
gw-world:/> ping 10.6.58.10 -srcif=wan -verbose
Rule and routing information for ping:
PBR selected by rule "iface_member_main" - PBR table "main"
DROPPED by rule "Default_Access_Rule"
For the ping not to be dropped, there must not only be a route that matches the IP address and
interface combination but also an IP rule that allows the packet on that interface. If administrator
simulates the packet coming from the public Internet on the wan interface and going to some
host on the protected lannet, the allowing IP rule might look similar to the following:
Action Source
Interface
NAT lan
If there is no IP rule or IP policy that permits the packet it will also be dropped. For example:
gw-world:/> ping 10.6.58.10 -srcif=wan -verbose
Rule and routing information for ping:
PBR selected by rule "iface_member_main" - PBR table "main"
DROPPED by rule "Default_Rule"
The -srcif option is usually used in combination with the -srcip option described next.
Chapter 2: Management and Maintenance
Source Destination
Network Interface
lannet wannet
120
Destination Service
Network
all-nets ping-inbound