Univention Bugzilla – Bug 33406
Tests for Univention Firewall
Last modified: 2018-04-14 13:47:13 CEST
The product tests for Univention Firewall could be fully automated: Two systems are needed, a UCS system running Univention Firewall (the test could be run on every system role) and an additional scan host (could be a base system). Both systems need an IPv4 and Ipv6 address. Scans should be made from the second host using "nmap" and "nmap -6". The scans should simply be executed remotely via "ssh HOST COMMAND". The following tests should be implemented: - The UCS system should be pingable via IPv4 and IPv6 (ping6) - The UCS system should be able to ping the scan host via IPv4 and IPv6 (ping6) - Configure the default policy to ACCEPT. A service which is permitted via package rules should (e.g. "time", available on all system roles) should be reachable via IPv4 and IPv6. A fake service should be provided via netcat on some unused port (e.g. 1333). The fake service should be reachable. - Configure the default policy to REJECT. A service which is permitted via package rules should (e.g. "time", available on all system roles) should be reachable via IPv4 and IPv6. A fake service should be provided via netcat on some unused port (e.g. 1333). The fake service should be shown as "closed". - Configure the default policy to DROP. A service which is permitted via package rules should (e.g. "time", available on all system roles) should be reachable via IPv4 and IPv6. A fake service should be provided via netcat on some unused port (e.g. 1333). The fake service should be shown as "filtered". - Store the output of "iptables -L". Univention Firewall should now be disabled using security/packetfilter/disabled=true and a restart. As a result the iptables chains should now be empty. Then security/packetfilter/disabled should be unset and after a restart the original output should be available again. - Configure the default policy to REJECT. A service which is permitted via package rules should (e.g. "time", available on all system roles) should be reachable via IPv4 and IPv6. Now the package-specific rules should be disabled using security/packetfilter/use_packages=false (and a restart of Univention Firewall). The time service should be shown as "closed". - Configure the default policy to REJECT. A fake service should be provided via netcat on some unused port (e.g. 1333) ucr set security/packetfilter/tcp/1333/ipv6=ACCEPT The fake service should be reachable via ipv6, but not via ipv4. - Configure the default policy to REJECT. A fake service should be provided via netcat on some unused port (e.g. 1333) ucr set security/packetfilter/tcp/1333/ipv4=ACCEPT The fake service should be reachable via ipv4, but not via ipv6. - Configure the default policy to REJECT. A fake service should be provided via netcat on some unused port (e.g. 1333) ucr set security/packetfilter/tcp/1333/all=ACCEPT The fake service should be reachable via ipv4 and ipv6. - Configure the default policy to REJECT. A fake service should be provided via netcat on some unused port for UDP (e.g. 1333) ucr set security/packetfilter/udp/1333/ipv6=ACCEPT The fake service should be reachable via ipv6, but not via ipv4. (nmap -sU) - Configure the default policy to REJECT. A fake service should be provided via netcat on some unused port for UDP (e.g. 1333) ucr set security/packetfilter/udp/1333/ipv4=ACCEPT The fake service should be reachable via ipv4, but not via ipv6. (nmap -sU) - Configure the default policy to REJECT. A fake service should be provided via netcat on some unused port for UDP (e.g. 1333) ucr set security/packetfilter/udp/1333/all=ACCEPT The fake service should be reachable via ipv4 and ipv6. (nmap -sU) - Configure the default policy to REJECT. A fake service should be provided via netcat on some unused ports (e.g. 1333-1335) ucr set security/packetfilter/tcp/1333-1334/all=ACCEPT The fake service should be reachable on 1333 and 1334, but not on 1335 - A arbitrary iptables rule be appended to /etc/security/packetfilter.d/50_local.sh. After a restart of Univention Firewall this rule should be visible in the output of "iptables -L" - A arbitrary iptables rule be shipped as an executable shell script in /etc/security/packetfilter.d/60ucstest.sh. After a restart of Univention Firewall this rule should be visible in the output of "iptables -L"
Once implemented the product tests for Univention Firewall should be modified so that only the test is run.
*** Bug 27657 has been marked as a duplicate of this bug. ***