nixpkgs/tests/firewall.nix

# Test the firewall module.

{ pkgs, ... }:

{

  nodes =
    { walled =
        { config, pkgs, nodes, ... }:
        { networking.firewall.enable = true;
          networking.firewall.logRefusedPackets = true;
          services.httpd.enable = true;
          services.httpd.adminAddr = "foo@example.org";
        };

      attacker =
        { config, pkgs, ... }:
        { services.httpd.enable = true;
          services.httpd.adminAddr = "foo@example.org";
        };
    };

  testScript =
    { nodes, ... }:
    ''
      startAll;

      $walled->waitForUnit("firewall");
      $walled->waitForUnit("httpd");
      $attacker->waitForUnit("network.target");

      # Local connections should still work.
      $walled->succeed("curl -v http://localhost/ >&2");

      # Connections to the firewalled machine should fail.
      $attacker->fail("curl -v http://walled/ >&2");
      $attacker->fail("ping -c 1 walled >&2");

      # Outgoing connections/pings should still work.
      $walled->succeed("curl -v http://attacker/ >&2");
      $walled->succeed("ping -c 1 attacker >&2");

      # If we stop the firewall, then connections should succeed.
      $walled->stopJob("firewall");
      $attacker->succeed("curl -v http://walled/ >&2");
    '';

}
* Add a test for the firewall. svn path=/nixos/trunk/; revision=26276 2011-03-11 14:38:52 +01:00			`# Test the firewall module.`

			`{ pkgs, ... }:`

			`{`

			`nodes =`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 20:20:50 +02:00			`{ walled =`
* Add a test for the firewall. svn path=/nixos/trunk/; revision=26276 2011-03-11 14:38:52 +01:00			`{ config, pkgs, nodes, ... }:`
			`{ networking.firewall.enable = true;`
			`networking.firewall.logRefusedPackets = true;`
			`services.httpd.enable = true;`
			`services.httpd.adminAddr = "foo@example.org";`
			`};`

strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 20:20:50 +02:00			`attacker =`
* Add a test for the firewall. svn path=/nixos/trunk/; revision=26276 2011-03-11 14:38:52 +01:00			`{ config, pkgs, ... }:`
			`{ services.httpd.enable = true;`
			`services.httpd.adminAddr = "foo@example.org";`
			`};`
			`};`

			`testScript =`
			`{ nodes, ... }:`
			`''`
			`startAll;`

Tests: global search/replace of obsolete functions 2012-10-24 18:22:53 +02:00			`$walled->waitForUnit("firewall");`
			`$walled->waitForUnit("httpd");`
			`$attacker->waitForUnit("network.target");`
* Add a test for the firewall. svn path=/nixos/trunk/; revision=26276 2011-03-11 14:38:52 +01:00
			`# Local connections should still work.`
			`$walled->succeed("curl -v http://localhost/ >&2");`

			`# Connections to the firewalled machine should fail.`
			`$attacker->fail("curl -v http://walled/ >&2");`
			`$attacker->fail("ping -c 1 walled >&2");`

			`# Outgoing connections/pings should still work.`
			`$walled->succeed("curl -v http://attacker/ >&2");`
			`$walled->succeed("ping -c 1 attacker >&2");`

			`# If we stop the firewall, then connections should succeed.`
Update some tests for systemd 2012-10-24 18:11:21 +02:00			`$walled->stopJob("firewall");`
* Add a test for the firewall. svn path=/nixos/trunk/; revision=26276 2011-03-11 14:38:52 +01:00			`$attacker->succeed("curl -v http://walled/ >&2");`
			`'';`

			`}`