> From: Rob Carlson <rcarlson@xxxxxxxxxxxxxxxxxxxxxxxx> > Subject: Alternatives to --check option > > Is there any way of being able to tell how iptables is handling a > package from a particular address short of actually sending something > from said address? > There are several tools for penetration testing that work (nmap, etc), but you might also give my "passive testing tool" a try: http://itval.sourceforge.net. It constructs a model of your rule set and answers queries about the behavior. Unfortunately, right now, it doesn't understand IPSET matches, but I'll see if I can add that functionality to the next version for you. Robert Marmorstein
