mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-06-28 20:16:41 +03:00
* Add a test for the firewall.
svn path=/nixos/trunk/; revision=26276
This commit is contained in:
Eelco Dolstra
parent
64d871c0d9
commit
ee4e004cc4
3 changed files with 52 additions and 1 deletions
|
|
@ -24,7 +24,10 @@ in
|
||||||
config = {
|
config = {
|
||||||
|
|
||||||
jobs.backdoor =
|
jobs.backdoor =
|
||||||
{ startOn = "ip-up";
|
{ # If the firewall is enabled, this job must start *after* the
|
||||||
|
# firewall, otherwise connection tracking won't know about
|
||||||
|
# this connection.
|
||||||
|
startOn = if config.networking.firewall.enable then "started firewall" else "ip-up";
|
||||||
stopOn = "never";
|
stopOn = "never";
|
||||||
|
|
||||||
script =
|
script =
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,7 @@ with import ../lib/testing.nix { inherit nixpkgs services system; };
|
||||||
avahi = makeTest (import ./avahi.nix);
|
avahi = makeTest (import ./avahi.nix);
|
||||||
bittorrent = makeTest (import ./bittorrent.nix);
|
bittorrent = makeTest (import ./bittorrent.nix);
|
||||||
firefox = makeTest (import ./firefox.nix);
|
firefox = makeTest (import ./firefox.nix);
|
||||||
|
firewall = makeTest (import ./firewall.nix);
|
||||||
installer = makeTests (import ./installer.nix);
|
installer = makeTests (import ./installer.nix);
|
||||||
ipv6 = makeTest (import ./ipv6.nix);
|
ipv6 = makeTest (import ./ipv6.nix);
|
||||||
kde4 = makeTest (import ./kde4.nix);
|
kde4 = makeTest (import ./kde4.nix);
|
||||||
|
|
|
||||||
47
tests/firewall.nix
Normal file
47
tests/firewall.nix
Normal file
|
|
@ -0,0 +1,47 @@
|
||||||
|
# Test the firewall module.
|
||||||
|
|
||||||
|
{ pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
|
||||||
|
nodes =
|
||||||
|
{ walled =
|
||||||
|
{ config, pkgs, nodes, ... }:
|
||||||
|
{ networking.firewall.enable = true;
|
||||||
|
networking.firewall.logRefusedPackets = true;
|
||||||
|
services.httpd.enable = true;
|
||||||
|
services.httpd.adminAddr = "foo@example.org";
|
||||||
|
};
|
||||||
|
|
||||||
|
attacker =
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
{ services.httpd.enable = true;
|
||||||
|
services.httpd.adminAddr = "foo@example.org";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
testScript =
|
||||||
|
{ nodes, ... }:
|
||||||
|
''
|
||||||
|
startAll;
|
||||||
|
|
||||||
|
$walled->waitForJob("firewall");
|
||||||
|
$walled->waitForJob("httpd");
|
||||||
|
|
||||||
|
# Local connections should still work.
|
||||||
|
$walled->succeed("curl -v http://localhost/ >&2");
|
||||||
|
|
||||||
|
# Connections to the firewalled machine should fail.
|
||||||
|
$attacker->fail("curl -v http://walled/ >&2");
|
||||||
|
$attacker->fail("ping -c 1 walled >&2");
|
||||||
|
|
||||||
|
# Outgoing connections/pings should still work.
|
||||||
|
$walled->succeed("curl -v http://attacker/ >&2");
|
||||||
|
$walled->succeed("ping -c 1 attacker >&2");
|
||||||
|
|
||||||
|
# If we stop the firewall, then connections should succeed.
|
||||||
|
$walled->succeed("stop firewall");
|
||||||
|
$attacker->succeed("curl -v http://walled/ >&2");
|
||||||
|
'';
|
||||||
|
|
||||||
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue