Firewall plugin for Infrataster
Ruby
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
lib
spec
.gitignore
.rubocop.yml
.travis.yml
Gemfile
LICENSE.txt
README.md
RELEASE_NOTES.md
Rakefile
infrataster-plugin-firewall.gemspec

README.md

Infrataster::Plugin::Firewall

Gem Version Build Status Coverage Status

Firewall plugin for Infrataster.

Why Infrataster::Plugin::Firewall

We want to test connectivity between a source server and a destination server. But the servers could not respond because of no service provided on the port which we want to test. So, this plugin tests tcp/udp with tcpdump which can get packets on destination servers. Tcpdump can capture packets even if iptables or firewalld drops the packets.

Usage

The usage is as same as Infrataster.

require 'infrataster-plugin-firewall'

describe server(:src) do
  describe firewall(server(:dst)) do
    it { is_expected.to be_reachable } #ICMP ping
    it { is_expected.to be_reachable.dest_port(80) } #TCP:80
    it { is_expected.to be_reachable.tcp.dest_port(80) }
    it { is_expected.to be_reachable.tcp.dest_port(22).ack } # judge with both ACK and captured SYN
    it { is_expected.to be_reachable.tcp.dest_port(22).ack(:only) } # judge with only ACK
    it { is_expected.to be_reachable.udp.dest_port(53) }
    it { is_expected.to be_reachable.dest_port('80/tcp') }
    it { is_expected.to be_reachable.dest_port('53/udp') }
    it { is_expected.to be_reachable.tcp.dest_port(80).source_port(30123) }
  end
end

You can get following result:

$ bundle exec rspec

server 'src'
  via firewall
    should reach to server 'dst'
    should reach to server 'dst' dest_port: 80
    should reach to server 'dst' tcp dest_port: 80
    should reach to server 'dst' tcp dest_port: 22
    should reach to server 'dst' tcp dest_port: 22
    should reach to server 'dst' udp dest_port: 53
    should reach to server 'dst' dest_port: 80/tcp
    should reach to server 'dst' dest_port: 53/udp
    should reach to server 'dst' tcp dest_port: 80 source_port: 30123

Finished in 21.35 seconds (files took 0.7851 seconds to load)
9 examples, 0 failures
$

Installation

Add this line to your application's Gemfile:

gem 'infrataster-plugin-firewall'

And then execute:

$ bundle

Or install it yourself as:

$ gem install infrataster-plugin-firewall

Requirement

This plugin uses nc(netcat) and tcpdump. You need to run tcpdump on destination servers with sudo, and nc on source servers.

Release Notes

Release Notes

Contributing

  1. Fork it ( https://github.com/otahi/infrataster-plugin-firewall/fork )
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create a new Pull Request