projects / project / firewall4.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Initial commit
[project/firewall4.git] / tests / 01_configuration / 01_ruleset
1 Testing the ruleset rendered from the default firewall configuration.
2
3 -- Testcase --
4 {%
5 include("./tests/mock.uc", {
6 TESTFILE: "test-wrapper.uc",
7 TRACE_CALLS: "stderr",
8
9 getenv: function(varname) {
10 switch (varname) {
11 case 'ACTION':
12 return 'print';
13 }
14 }
15 })
16 %}
17 -- End --
18
19 -- Expect stdout --
20 table inet fw4
21 flush table inet fw4
22
23 table inet fw4 {
24 #
25 # Set definitions
26 #
27
28
29 #
30 # Defines
31 #
32
33 define lan_devices = { "br-lan" }
34 define lan_subnets = { 192.168.26.0/24, fd63:e2f:f706::/60 }
35
36 define wan_devices = { "wan" }
37 define wan_subnets = { 10.11.12.0/24 }
38
39
40 #
41 # User includes
42 #
43
44 include "/etc/nftables.d/*.nft"
45
46
47 #
48 # Filter rules
49 #
50
51 chain input {
52 type filter hook input priority filter; policy accept;
53
54 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
55
56 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
57
58
59 tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
60
61
62 iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
63 iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
64
65 }
66
67 chain forward {
68 type filter hook forward priority filter; policy drop;
69
70 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
71
72
73
74 iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
75 iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
76
77 jump handle_reject
78 }
79
80 chain output {
81 type filter hook output priority filter; policy accept;
82
83 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
84
85 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
86
87
88
89 oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
90 oifname "wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
91
92 }
93
94 chain handle_reject {
95 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
96 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
97 }
98
99 chain syn_flood {
100 tcp flags & (fin | syn | rst | ack) == syn limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
101 drop comment "!fw4: Drop excess packets"
102 }
103
104
105 chain input_lan {
106 jump accept_from_lan
107 }
108
109 chain output_lan {
110 jump accept_to_lan
111 }
112
113 chain forward_lan {
114 jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
115 jump accept_to_lan
116 }
117
118 chain accept_from_lan {
119 iifname "br-lan" counter accept comment "!fw4: accept lan IPv4/IPv6 traffic"
120 }
121
122 chain accept_to_lan {
123 oifname "br-lan" counter accept comment "!fw4: accept lan IPv4/IPv6 traffic"
124 }
125
126 chain input_wan {
127 meta nfproto ipv4 udp dport 68 counter accept comment "!fw4: Allow-DHCP-Renew"
128 meta nfproto ipv4 meta l4proto icmp counter accept comment "!fw4: Allow-Ping"
129 meta nfproto ipv4 meta l4proto igmp counter accept comment "!fw4: Allow-IGMP"
130 ip6 saddr fc00::/6 ip6 daddr fc00::/6 udp dport 546 counter accept comment "!fw4: Allow-DHCPv6"
131 meta l4proto ipv6-icmp ip6 saddr fe80::/10 counter accept comment "!fw4: Allow-MLD"
132 meta nfproto ipv6 meta l4proto ipv6-icmp limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Input"
133 jump reject_from_wan
134 }
135
136 chain output_wan {
137 jump accept_to_wan
138 }
139
140 chain forward_wan {
141 meta nfproto ipv6 meta l4proto ipv6-icmp limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Forward"
142 meta l4proto esp counter jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
143 udp dport 500 counter jump accept_to_lan comment "!fw4: Allow-ISAKMP"
144 jump reject_to_wan
145 }
146
147 chain accept_to_wan {
148 oifname "wan" counter accept comment "!fw4: accept wan IPv4/IPv6 traffic"
149 }
150
151 chain reject_from_wan {
152 iifname "wan" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
153 }
154
155 chain reject_to_wan {
156 oifname "wan" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
157 }
158
159
160
161 #
162 # NAT rules
163 #
164
165 chain dstnat {
166 type nat hook prerouting priority dstnat; policy accept;
167
168 }
169
170 chain srcnat {
171 type nat hook postrouting priority srcnat; policy accept;
172
173 oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
174 }
175
176 chain srcnat_wan {
177 meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
178 }
179
180
181 #
182 # Raw rules (notrack & helper)
183 #
184
185 chain raw_prerouting {
186 type filter hook prerouting priority raw; policy accept;
187
188 iifname "br-lan" jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment"
189 }
190
191 chain raw_output {
192 type filter hook output priority raw; policy accept;
193
194 }
195
196 ct helper amanda {
197 type "amanda" protocol udp;
198 }
199
200 ct helper ftp {
201 type "ftp" protocol tcp;
202 }
203
204 ct helper RAS {
205 type "RAS" protocol udp;
206 }
207
208 ct helper Q.931 {
209 type "Q.931" protocol tcp;
210 }
211
212 ct helper irc {
213 type "irc" protocol tcp;
214 }
215
216 ct helper netbios-ns {
217 type "netbios-ns" protocol udp;
218 }
219
220 ct helper pptp {
221 type "pptp" protocol tcp;
222 }
223
224 ct helper sane {
225 type "sane" protocol tcp;
226 }
227
228 ct helper sip {
229 type "sip" protocol udp;
230 }
231
232 ct helper snmp {
233 type "snmp" protocol udp;
234 }
235
236 ct helper tftp {
237 type "tftp" protocol udp;
238 }
239
240 ct helper rtsp {
241 type "rtsp" protocol tcp;
242 }
243
244
245 chain helper_lan {
246 meta l4proto udp udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
247 meta l4proto tcp tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
248 meta l4proto udp udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
249 meta l4proto tcp tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
250 meta nfproto ipv4 meta l4proto tcp tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
251 meta nfproto ipv4 meta l4proto udp udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking"
252 meta nfproto ipv4 meta l4proto tcp tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
253 meta l4proto tcp tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking"
254 meta l4proto udp udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
255 meta nfproto ipv4 meta l4proto udp udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
256 meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
257 meta nfproto ipv4 meta l4proto tcp tcp dport 554 ct helper set "rtsp" comment "!fw4: RTSP connection tracking"
258 }
259
260
261
262 #
263 # Mangle rules
264 #
265
266 chain mangle_prerouting {
267 type filter hook prerouting priority mangle; policy accept;
268
269 }
270
271 chain mangle_output {
272 type filter hook output priority mangle; policy accept;
273
274 }
275
276 chain mangle_forward {
277 type filter hook forward priority mangle; policy accept;
278
279 iifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
280 oifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
281 }
282 }
283 -- End --
284
285 -- Expect stderr --
286 [call] ctx.call object <network.interface> method <dump> args <null>
287 [call] ctx.call object <service> method <get_data> args <{ "type": "firewall" }>
288 [call] fs.open path </proc/version> mode <r>
289 [call] fs.stat path </sys/module/nf_conntrack_amanda>
290 [call] fs.stat path </sys/module/nf_conntrack_ftp>
291 [call] fs.stat path </sys/module/nf_conntrack_h323>
292 [call] fs.stat path </sys/module/nf_conntrack_h323>
293 [call] fs.stat path </sys/module/nf_conntrack_irc>
294 [call] fs.stat path </sys/module/nf_conntrack_netbios_ns>
295 [call] fs.stat path </sys/module/nf_conntrack_pptp>
296 [call] fs.stat path </sys/module/nf_conntrack_sane>
297 [call] fs.stat path </sys/module/nf_conntrack_sip>
298 [call] fs.stat path </sys/module/nf_conntrack_snmp>
299 [call] fs.stat path </sys/module/nf_conntrack_tftp>
300 [call] fs.stat path </sys/module/nf_conntrack_rtsp>
301 [call] fs.open path </sys/class/net/br-lan/flags> mode <r>
302 [call] fs.open path </sys/class/net/br-lan/flags> mode <r>
303 -- End --
OpenWrt nftables firewall