pyrox.dev
1# Test the firewall module.
2
3import ./make-test-python.nix ( { pkgs, ... } : {
4 name = "firewall";
5 meta = with pkgs.lib.maintainers; {
6 maintainers = [ eelco ];
7 };
8
9 nodes =
10 { walled =
11 { ... }:
12 { networking.firewall.enable = true;
13 networking.firewall.logRefusedPackets = true;
14 services.httpd.enable = true;
15 services.httpd.adminAddr = "foo@example.org";
16 };
17
18 # Dummy configuration to check whether firewall.service will be honored
19 # during system activation. This only needs to be different to the
20 # original walled configuration so that there is a change in the service
21 # file.
22 walled2 =
23 { ... }:
24 { networking.firewall.enable = true;
25 networking.firewall.rejectPackets = true;
26 };
27
28 attacker =
29 { ... }:
30 { services.httpd.enable = true;
31 services.httpd.adminAddr = "foo@example.org";
32 networking.firewall.enable = false;
33 };
34 };
35
36 testScript = { nodes, ... }: let
37 newSystem = nodes.walled2.config.system.build.toplevel;
38 in ''
39 start_all()
40
41 walled.wait_for_unit("firewall")
42 walled.wait_for_unit("httpd")
43 attacker.wait_for_unit("network.target")
44
45 # Local connections should still work.
46 walled.succeed("curl -v http://localhost/ >&2")
47
48 # Connections to the firewalled machine should fail, but ping should succeed.
49 attacker.fail("curl --fail --connect-timeout 2 http://walled/ >&2")
50 attacker.succeed("ping -c 1 walled >&2")
51
52 # Outgoing connections/pings should still work.
53 walled.succeed("curl -v http://attacker/ >&2")
54 walled.succeed("ping -c 1 attacker >&2")
55
56 # If we stop the firewall, then connections should succeed.
57 walled.stop_job("firewall")
58 attacker.succeed("curl -v http://walled/ >&2")
59
60 # Check whether activation of a new configuration reloads the firewall.
61 walled.succeed(
62 "${newSystem}/bin/switch-to-configuration test 2>&1 | grep -qF firewall.service"
63 )
64 '';
65})