matthewcosgrove/00FirewallRuleChecks.MD

## 00FirewallRuleChecks.MD

      
    Raw
  

              00FirewallRuleChecks.MD
            
          
    Prequisites to run scripts

requires bash v4+, netcat (nc), jq, spruce

  
## check_firewall_rules.sh
#!/bin/bash
set -euo pipefail
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
default_input_yaml="${SCRIPT_DIR}"/../firewall-rules.yml
input_yaml=${FIREWALL_RULES_YAML_ABSOLUTE_FILEPATH:-$default_input_yaml}

function firewall_rules_as_json(){
  spruce json < "${input_yaml}"
}

RED='\033[0;31m'
GREEN='\033[0;32m'
NO_COLOR='\033[0m'
result=0
function check_exit_code() {
  if [ $1 -ne 0 ]; then
    printf "${RED}Failed!${NO_COLOR}\t${2} (${3})\n"
    result=1
  else
    printf "${GREEN}OK${NO_COLOR}\t${2} (${3})\n"
  fi
}

function check_firewall_rules(){
  if [ $# -eq 0 ]; then
    echo "No arguments provided. Expected args in the form check_firewall_rules \"{name="my VM over https", host="10.0.0.2", port=443}\""
    exit 1
  fi
  for row in ${1}; do
    name=$(echo $row | base64 --decode | jq -r .name)
    host=$(echo $row | base64 --decode | jq -r .host)
    port=$(echo $row | base64 --decode | jq -r .port)
    timeout="1"
    echo "[TEST] nc -w ${timeout} ${host} ${port}"
    set +e
    cat /dev/null | nc -w "${timeout}" "${host}" "${port}" # -z not an option for all distros https://stackoverflow.com/questions/38695594/nc-invalid-option-z
    exit_code="$?"
    set -e
    check_exit_code "${exit_code}" "${host}:${port}" "${name}"
  done
}

echo "Processing input $input_yaml as json.."
firewall_rules_as_json | jq .
ips_and_ports_json=$(firewall_rules_as_json | jq -r '.destinations[] | select(.ips != null) | {name: "\(.name)", host: "\(.ips[])", port: "\(.port)"} | @base64')
check_firewall_rules "${ips_and_ports_json}"
dns_a_records_and_ports_json=$(firewall_rules_as_json | jq -r '.destinations[] | select(.dns_a_records != null) | {name: "\(.name)", host: "\(.dns_a_records[])", port: "\(.port)"} | @base64')
check_firewall_rules "${dns_a_records_and_ports_json}"

## test-firewall-rules.yml
destinations:
  - name: happy-path-available-port-no-dns
    ips:
      - "127.0.0.1"
    port: "22"
  - name: happy-path-available-port-multiple-ips-no-dns
    ips:
      - "127.0.0.1"
      - "127.0.1.1"
    port: "22"
  - name: fail-unavailable-port-no-dns
    ips:
      - "127.0.0.1"
    port: "999"
  - name: happy-path-available-port-with-ip-and-valid-dns
    ips:
      - "127.0.0.1"
    port: "22"
    dns_a_records:
      - "localhost"
  - name: fail-available-port-with-ip-and-invalid-dns
    ips:
      - "127.0.0.1"
    port: "22"
    dns_a_records:
      - "designed.to.fail.localdomain"
  - name: happy-path-available-port-with-dns-and-no-ip
    dns_a_records:
      - "localhost"
    port: "22"

## test_check_firewall_rules.sh
#!/bin/bash
set -euo pipefail
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
export FIREWALL_RULES_YAML_ABSOLUTE_FILEPATH="${SCRIPT_DIR}"/test-firewall-rules.yml
echo "Testing with file $FIREWALL_RULES_YAML_ABSOLUTE_FILEPATH"
cat $FIREWALL_RULES_YAML_ABSOLUTE_FILEPATH
"${SCRIPT_DIR}"/check_firewall_rules.sh
	#!/bin/bash
	set -euo pipefail
	SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
	default_input_yaml="${SCRIPT_DIR}"/../firewall-rules.yml
	input_yaml=${FIREWALL_RULES_YAML_ABSOLUTE_FILEPATH:-$default_input_yaml}

	function firewall_rules_as_json(){
	spruce json < "${input_yaml}"
	}

	RED='\033[0;31m'
	GREEN='\033[0;32m'
	NO_COLOR='\033[0m'
	result=0
	function check_exit_code() {
	if [ $1 -ne 0 ]; then
	printf "${RED}Failed!${NO_COLOR}\t${2} (${3})\n"
	result=1
	else
	printf "${GREEN}OK${NO_COLOR}\t${2} (${3})\n"
	fi
	}

	function check_firewall_rules(){
	if [ $# -eq 0 ]; then
	echo "No arguments provided. Expected args in the form check_firewall_rules \"{name="my VM over https", host="10.0.0.2", port=443}\""
	exit 1
	fi
	for row in ${1}; do
	name=$(echo $row \| base64 --decode \| jq -r .name)
	host=$(echo $row \| base64 --decode \| jq -r .host)
	port=$(echo $row \| base64 --decode \| jq -r .port)
	timeout="1"
	echo "[TEST] nc -w ${timeout} ${host} ${port}"
	set +e
	cat /dev/null \| nc -w "${timeout}" "${host}" "${port}" # -z not an option for all distros https://stackoverflow.com/questions/38695594/nc-invalid-option-z
	exit_code="$?"
	set -e
	check_exit_code "${exit_code}" "${host}:${port}" "${name}"
	done
	}

	echo "Processing input $input_yaml as json.."
	firewall_rules_as_json \| jq .
	ips_and_ports_json=$(firewall_rules_as_json \| jq -r '.destinations[] \| select(.ips != null) \| {name: "\(.name)", host: "\(.ips[])", port: "\(.port)"} \| @base64')
	check_firewall_rules "${ips_and_ports_json}"
	dns_a_records_and_ports_json=$(firewall_rules_as_json \| jq -r '.destinations[] \| select(.dns_a_records != null) \| {name: "\(.name)", host: "\(.dns_a_records[])", port: "\(.port)"} \| @base64')
	check_firewall_rules "${dns_a_records_and_ports_json}"
	destinations:
	- name: happy-path-available-port-no-dns
	ips:
	- "127.0.0.1"
	port: "22"
	- name: happy-path-available-port-multiple-ips-no-dns
	ips:
	- "127.0.0.1"
	- "127.0.1.1"
	port: "22"
	- name: fail-unavailable-port-no-dns
	ips:
	- "127.0.0.1"
	port: "999"
	- name: happy-path-available-port-with-ip-and-valid-dns
	ips:
	- "127.0.0.1"
	port: "22"
	dns_a_records:
	- "localhost"
	- name: fail-available-port-with-ip-and-invalid-dns
	ips:
	- "127.0.0.1"
	port: "22"
	dns_a_records:
	- "designed.to.fail.localdomain"
	- name: happy-path-available-port-with-dns-and-no-ip
	dns_a_records:
	- "localhost"
	port: "22"