nixpkgs/nixos/tests/firewall.nix

# Test the firewall module.

import ./make-test.nix ( { pkgs, ... } : {
  name = "firewall";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ eelco chaoflow ];
  };

  nodes =
    { walled =
        { config, pkgs, nodes, ... }:
        { networking.firewall.enable = true;
          networking.firewall.logRefusedPackets = true;
          services.httpd.enable = true;
          services.httpd.adminAddr = "foo@example.org";
        };

      attacker =
        { config, pkgs, ... }:
        { services.httpd.enable = true;
          services.httpd.adminAddr = "foo@example.org";
          networking.firewall.enable = false;
        };
    };

  testScript =
    { nodes, ... }:
    ''
      startAll;

      $walled->waitForUnit("firewall");
      $walled->waitForUnit("httpd");
      $attacker->waitForUnit("network.target");

      # Local connections should still work.
      $walled->succeed("curl -v http://localhost/ >&2");

      # Connections to the firewalled machine should fail.
      $attacker->fail("curl --fail --connect-timeout 2 http://walled/ >&2");
      $attacker->fail("ping -c 1 walled >&2");

      # Outgoing connections/pings should still work.
      $walled->succeed("curl -v http://attacker/ >&2");
      $walled->succeed("ping -c 1 attacker >&2");

      # If we stop the firewall, then connections should succeed.
      $walled->stopJob("firewall");
      $attacker->succeed("curl -v http://walled/ >&2");
    '';
})
* Add a test for the firewall. svn path=/nixos/trunk/; revision=26276 2011-03-11 13:38:52 +00:00			`# Test the firewall module.`

all tests: added meta.maintainers section 2015-07-12 12:09:40 +02:00			`import ./make-test.nix ( { pkgs, ... } : {`
name nixos tests, close #3078 2014-06-28 16:04:49 +02:00			`name = "firewall";`
all tests: added meta.maintainers section 2015-07-12 12:09:40 +02:00			`meta = with pkgs.stdenv.lib.maintainers; {`
			`maintainers = [ eelco chaoflow ];`
			`};`
* Add a test for the firewall. svn path=/nixos/trunk/; revision=26276 2011-03-11 13:38:52 +00:00
			`nodes =`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00			`{ walled =`
* Add a test for the firewall. svn path=/nixos/trunk/; revision=26276 2011-03-11 13:38:52 +00:00			`{ config, pkgs, nodes, ... }:`
			`{ networking.firewall.enable = true;`
			`networking.firewall.logRefusedPackets = true;`
			`services.httpd.enable = true;`
			`services.httpd.adminAddr = "foo@example.org";`
			`};`

strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00			`attacker =`
* Add a test for the firewall. svn path=/nixos/trunk/; revision=26276 2011-03-11 13:38:52 +00:00			`{ config, pkgs, ... }:`
			`{ services.httpd.enable = true;`
			`services.httpd.adminAddr = "foo@example.org";`
Fix tests broken due to the firewall being enabled by default 2014-04-11 17:15:56 +02:00			`networking.firewall.enable = false;`
* Add a test for the firewall. svn path=/nixos/trunk/; revision=26276 2011-03-11 13:38:52 +00:00			`};`
			`};`

			`testScript =`
			`{ nodes, ... }:`
			`''`
			`startAll;`

Tests: global search/replace of obsolete functions 2012-10-24 18:22:53 +02:00			`$walled->waitForUnit("firewall");`
			`$walled->waitForUnit("httpd");`
			`$attacker->waitForUnit("network.target");`
* Add a test for the firewall. svn path=/nixos/trunk/; revision=26276 2011-03-11 13:38:52 +00:00
			`# Local connections should still work.`
			`$walled->succeed("curl -v http://localhost/ >&2");`

			`# Connections to the firewalled machine should fail.`
Fix tests broken due to the firewall being enabled by default 2014-04-11 17:15:56 +02:00			`$attacker->fail("curl --fail --connect-timeout 2 http://walled/ >&2");`
* Add a test for the firewall. svn path=/nixos/trunk/; revision=26276 2011-03-11 13:38:52 +00:00			`$attacker->fail("ping -c 1 walled >&2");`

			`# Outgoing connections/pings should still work.`
			`$walled->succeed("curl -v http://attacker/ >&2");`
			`$walled->succeed("ping -c 1 attacker >&2");`

			`# If we stop the firewall, then connections should succeed.`
Update some tests for systemd 2012-10-24 18:11:21 +02:00			`$walled->stopJob("firewall");`
* Add a test for the firewall. svn path=/nixos/trunk/; revision=26276 2011-03-11 13:38:52 +00:00			`$attacker->succeed("curl -v http://walled/ >&2");`
			`'';`
all tests: added meta.maintainers section 2015-07-12 12:09:40 +02:00			`})`