On 6/28/2013 2:02 PM, Tom Limoncelli wrote:
> I'd like to write "unit tests" for my firewall rules. I used to do
> this with FreeBSD but I haven't found a similar tool for Linux. Any
> suggestions?
I'm not aware of anything public. I have some Cucumber steps that
interpret the output of iptables -nL to determine if traffic is
permitted but I don't think they're in a state to be useful to anyone else.
A standard test looks something like:
Feature: Firewall test
Scenario:
Given the user "me"
When I log in to the firewall via SSH
And I list the rules for the chain "INPUT"
Then I should see that HTTP is permitted from everywhere
And I should see that SSH is permitted from "172.16.1.1"
And I should see that all other traffic is dropped
The step definitions look like: (These aren't the exact step definitions
used.)
Given /^the user "([^"]*)"$/ do |username|
@username = username
end
When /^I log in to "([^"]*)" via SSH$/ do |server|
@server = server
@method = :ssh
end
When /^I list the firewall chain "(.*?)"$/ do |chain|
# ssh_sudo() is a helper method to run a command on another system
# using SSH and sudo. It uses the @username and @server class
# variables to determine which system to log into and as which user.
@rules = ssh_sudo("/sbin/iptables -nL #{chain}")
@rules.should_not match(%r{iptables: No chain/target/match by that
name.}),
"The chain #{chain} does not exist."
end
Then /^I should see that HTTP is permitted from everywhere/ do
@rules.should =~ %r{^ACCEPT\s+tcp\s+--\s+0.0.0.0/0\s+0.0.0.0/0\s+tcp
dpt:80(?\s+.*)?$}
end
Then /^I should see that SSH is permitted from "(.*?)"/ do |ip|
@rules.should =~ %r{^ACCEPT\s+tcp\s+--\s+#{ip}\s+0.0.0.0/0\s+tcp
dpt:22(?\s+.*)?$}
end
Then /^I should see that all other traffic is dropped$/ do
@rules.should_not
match(%r{^ACCEPT\s+all\s+--\s+0.0.0.0/0\s+0.0.0.0/0}), "All traffic is
permitted."
@rules.should match(%r^DROP\s+all\s+--\s+0.0.0.0/0\s+0.0.0.0/0}), "Not
all otherwise allowed traffic is dropped."
end
This approach works but I feel it's a bit messy.
My main problem with this approach is that it's not portable. I manage
multiple kinds of firewalls and each has its own set of steps because
the parse rules are different.
One of the items on my todo list is to write something that will parse
the firewall rules and present a common interface so I only have to
manage one set of steps. That's most of the way to having a tool that
would do what I understand you want to do.
I hope you find something that will do what you want soon.
-- Chris Ess
http://www.ithiriel.com
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
