Bitfolk's monitoring service is great:

    https://tools.bitfolk.com/wiki/Monitoring

but it just occurred to me that (IIUC) it only monitors for *reachable* services, not for unreachable ones - i.e. whether the firewall is correctly shielding a particular port or protocol.

Now, I know that best practice is to ensure that all running services are correctly configured to only listen to traffic from the networks from which they can safely receive it, and that a good sysadmin should be able to sleep comfortably at night even when his firewall is off (wide open).  However, that does not invalidate defence in depth; I don't think anyone who advocates the above best practice would seriously recommend ditching firewall rules.  Therefore it makes sense (to me, at least) to try to implement at least some basic tests to monitor the correct behaviour of the firewall.

The kind of test I imagine is an attempted connection to a TCP or UDP port which passes when the response is ICMP port unreachable (in the case of a REJECT rule), or when a timeout expires without any response (in the case of a DROP rule).  The test could fail if a RST was received in the TCP case, or in any case if any other response was received.

Of course there are way too many ports for such a monitor to check them all, but even checking a single port for which no services are expected to be running would be a lot better than nothing, since this could catch a large number of cases where basic firewall configuration errors have been made, or where the firewall was accidentally turned off or simply failed to start.

Does this make sense or has the sun gone to my head?

Cheers,
Adam