nixos/tests/firewall.nix at 16.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / firewall.nix
at 16.09-beta 1.5 kB view raw
 1# Test the firewall module.
 2
 3import ./make-test.nix ( { pkgs, ... } : {
 4  name = "firewall";
 5  meta = with pkgs.stdenv.lib.maintainers; {
 6    maintainers = [ eelco chaoflow ];
 7  };
 8
 9  nodes =
10    { walled =
11        { config, pkgs, nodes, ... }:
12        { networking.firewall.enable = true;
13          networking.firewall.logRefusedPackets = true;
14          services.httpd.enable = true;
15          services.httpd.adminAddr = "foo@example.org";
16        };
17
18      attacker =
19        { config, pkgs, ... }:
20        { services.httpd.enable = true;
21          services.httpd.adminAddr = "foo@example.org";
22          networking.firewall.enable = false;
23        };
24    };
25
26  testScript =
27    { nodes, ... }:
28    ''
29      startAll;
30
31      $walled->waitForUnit("firewall");
32      $walled->waitForUnit("httpd");
33      $attacker->waitForUnit("network.target");
34
35      # Local connections should still work.
36      $walled->succeed("curl -v http://localhost/ >&2");
37
38      # Connections to the firewalled machine should fail, but ping should succeed.
39      $attacker->fail("curl --fail --connect-timeout 2 http://walled/ >&2");
40      $attacker->succeed("ping -c 1 walled >&2");
41
42      # Outgoing connections/pings should still work.
43      $walled->succeed("curl -v http://attacker/ >&2");
44      $walled->succeed("ping -c 1 attacker >&2");
45
46      # If we stop the firewall, then connections should succeed.
47      $walled->stopJob("firewall");
48      $attacker->succeed("curl -v http://walled/ >&2");
49    '';
50})