diff --git a/nixos/tests/firewall.nix b/nixos/tests/firewall.nix index dd7551f143a5e..0be4a9dec773f 100644 --- a/nixos/tests/firewall.nix +++ b/nixos/tests/firewall.nix @@ -3,14 +3,31 @@ import ./make-test-python.nix ( { pkgs, nftables, ... } : { name = "firewall" + pkgs.lib.optionalString nftables "-nftables"; meta = with pkgs.lib.maintainers; { - maintainers = [ eelco ]; + maintainers = [ eelco rvfg ]; }; nodes = { walled = { ... }: - { networking.firewall.enable = true; - networking.firewall.logRefusedPackets = true; + { networking.firewall = { + enable = true; + logRefusedPackets = true; + # Syntax smoke test, not actually verified otherwise + allowedTCPPorts = [ 25 993 8005 ]; + allowedTCPPortRanges = [ + { from = 980; to = 1000; } + { from = 990; to = 1010; } + { from = 8000; to = 8010; } + ]; + interfaces.eth0 = { + allowedTCPPorts = [ 10003 ]; + allowedTCPPortRanges = [ { from = 10000; to = 10005; } ]; + }; + interfaces.eth3 = { + allowedUDPPorts = [ 10003 ]; + allowedUDPPortRanges = [ { from = 10000; to = 10005; } ]; + }; + }; networking.nftables.enable = nftables; services.httpd.enable = true; services.httpd.adminAddr = "foo@example.org"; @@ -36,7 +53,7 @@ import ./make-test-python.nix ( { pkgs, nftables, ... } : { }; testScript = { nodes, ... }: let - newSystem = nodes.walled2.config.system.build.toplevel; + newSystem = nodes.walled2.system.build.toplevel; unit = if nftables then "nftables" else "firewall"; in '' start_all() @@ -56,6 +73,14 @@ import ./make-test-python.nix ( { pkgs, nftables, ... } : { walled.succeed("curl -v http://attacker/ >&2") walled.succeed("ping -c 1 attacker >&2") + # Open tcp port 80 at runtime + walled.succeed("nixos-firewall-tool open tcp 80") + attacker.succeed("curl -v http://walled/ >&2") + + # Reset the firewall + walled.succeed("nixos-firewall-tool reset") + attacker.fail("curl --fail --connect-timeout 2 http://walled/ >&2") + # If we stop the firewall, then connections should succeed. walled.stop_job("${unit}") attacker.succeed("curl -v http://walled/ >&2")