Skip to content

feat(validation): add firewall validation for iptables/ufw rules #81

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
theFong wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat(validation): add firewall validation for iptables/ufw rules #81

theFong wants to merge 2 commits into from

Conversation

@theFong
Copy link
Member

@theFong theFong commented Jan 31, 2026
edited
Loading

Summary

  • Add networking_validation.go with ValidateFirewallBlocksPort and ValidateDockerFirewallBlocksPort to verify servers on 0.0.0.0 are not accessible from outside
  • Extract instance validation functions to instance_validation.go for better organization
  • Add RunFirewallValidation standalone suite for comprehensive firewall testing
  • Integrate ValidateFirewallBlocksPort and ValidateDockerFirewallBlocksPort into RunInstanceLifecycleValidation

This validates that the iptables rules from BREV-2599 are working correctly by verifying that Docker containers binding to 0.0.0.0 on non-allowed ports cannot be reached from outside.

Validation Proof

Tested via PR #82 which flushed the DOCKER-USER iptables chain to simulate the vulnerable state:

Without iptables rules (vulnerable):

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
(empty - no rules)

Result: port 9999 is accessible from outside but should be blocked by firewall (attempt 1 succeeded)FAIL

With iptables rules (secure):

Chain DOCKER-USER (1 references)
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Result: checkPortBlocked: confirmed port 9999 is blocked after 3 attemptsPASS

Test plan

@theFong theFong requested a review from a team as a code owner January 31, 2026 17:36
@theFong theFong force-pushed the feat/firewall-validation branch from 82c3e37 to 0f596bf Compare January 31, 2026 17:45
@theFong theFong mentioned this pull request Jan 31, 2026
Closed
@theFong theFong force-pushed the feat/firewall-validation branch 5 times, most recently from 080b1e1 to aa737f6 Compare January 31, 2026 19:37
@theFong
feat(validation): add firewall validation for iptables/ufw rules
f592a04 
- Add networking_validation.go with ValidateFirewallBlocksPort and
  ValidateDockerFirewallBlocksPort to verify servers on 0.0.0.0 are
  not accessible from outside
- Extract instance validation functions to instance_validation.go
- Add RunFirewallValidation to validation suite
- Integrate ValidateFirewallBlocksPort into RunInstanceLifecycleValidation
@theFong theFong force-pushed the feat/firewall-validation branch from aa737f6 to f592a04 Compare January 31, 2026 19:41
@theFong theFong mentioned this pull request Jan 31, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@theFong