Bug 33406 – Tests for Univention Firewall

Bug 33406 - Tests for Univention Firewall


Summary:	Tests for Univention Firewall

Status:	NEW

Product:	UCS Test
Classification:	Unclassified
Component:	General
Version:	unspecified
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:

URL:
Keywords:

Duplicates:	27657 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-11-15 09:43 CET by Moritz Muehlenhoff
Modified:	2018-04-14 13:47 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Moritz Muehlenhoff

2013-11-15 09:43:50 CET

The product tests for Univention Firewall could be fully automated:

Two systems are needed, a UCS system running Univention Firewall (the test could be run on every system role) and an additional scan host (could be a base system). Both systems need an IPv4 and Ipv6 address.

Scans should be made from the second host using "nmap" and "nmap -6". The scans should simply be executed remotely via "ssh HOST COMMAND".

The following tests should be implemented:

- The UCS system should be pingable via IPv4 and IPv6 (ping6)

- The UCS system should be able to ping the scan host via IPv4 and IPv6 (ping6)

- Configure the default policy to ACCEPT. A service which is permitted via package rules should (e.g. "time", available on all system roles) should be reachable via IPv4 and IPv6. A fake service should be provided via netcat on some unused port (e.g. 1333). The fake service should be reachable.

- Configure the default policy to REJECT. A service which is permitted via package rules should (e.g. "time", available on all system roles) should be reachable via IPv4 and IPv6. A fake service should be provided via netcat on some unused port (e.g. 1333). The fake service should be shown as "closed".

- Configure the default policy to DROP. A service which is permitted via package rules should (e.g. "time", available on all system roles) should be reachable via IPv4 and IPv6. A fake service should be provided via netcat on some unused port (e.g. 1333). The fake service should be shown as "filtered".

- Store the output of "iptables -L". Univention Firewall should now be disabled using security/packetfilter/disabled=true and a restart. As a result the iptables chains should now be empty. Then security/packetfilter/disabled should be unset and after a restart the original output should be available again.

- Configure the default policy to REJECT. A service which is permitted via package rules should (e.g. "time", available on all system roles) should be reachable via IPv4 and IPv6. Now the package-specific rules should be disabled using security/packetfilter/use_packages=false (and a restart of Univention Firewall). The time service should be shown as "closed".

- Configure the default policy to REJECT. A fake service should be provided via netcat on some unused port (e.g. 1333)
ucr set security/packetfilter/tcp/1333/ipv6=ACCEPT
The fake service should be reachable via ipv6, but not via ipv4.

- Configure the default policy to REJECT. A fake service should be provided via netcat on some unused port (e.g. 1333)
ucr set security/packetfilter/tcp/1333/ipv4=ACCEPT
The fake service should be reachable via ipv4, but not via ipv6.

- Configure the default policy to REJECT. A fake service should be provided via netcat on some unused port (e.g. 1333)
ucr set security/packetfilter/tcp/1333/all=ACCEPT
The fake service should be reachable via ipv4 and ipv6.

- Configure the default policy to REJECT. A fake service should be provided via netcat on some unused port for UDP (e.g. 1333)
ucr set security/packetfilter/udp/1333/ipv6=ACCEPT
The fake service should be reachable via ipv6, but not via ipv4. (nmap -sU)

- Configure the default policy to REJECT. A fake service should be provided via netcat on some unused port for UDP (e.g. 1333)
ucr set security/packetfilter/udp/1333/ipv4=ACCEPT
The fake service should be reachable via ipv4, but not via ipv6. (nmap -sU)

- Configure the default policy to REJECT. A fake service should be provided via netcat on some unused port for UDP (e.g. 1333)
ucr set security/packetfilter/udp/1333/all=ACCEPT
The fake service should be reachable via ipv4 and ipv6. (nmap -sU)

- Configure the default policy to REJECT. A fake service should be provided via netcat on some unused ports (e.g. 1333-1335)
ucr set security/packetfilter/tcp/1333-1334/all=ACCEPT
The fake service should be reachable on 1333 and 1334, but not on 1335

- A arbitrary iptables rule be appended to /etc/security/packetfilter.d/50_local.sh. After a restart of Univention Firewall this rule should be visible in the output of "iptables -L"

- A arbitrary iptables rule be shipped as an executable shell script in /etc/security/packetfilter.d/60ucstest.sh. After a restart of Univention Firewall this rule should be visible in the output of "iptables -L"

Comment 1 Moritz Muehlenhoff

2013-11-15 09:45:37 CET

Once implemented the product tests for Univention Firewall should be modified so that only the test is run.

Comment 2 Stefan Gohmann

2014-09-12 15:55:14 CEST

*** Bug 27657 has been marked as a duplicate of this bug. ***