Automated firewall testing

C2 | Mon 21 Jan | 2:25 p.m.–2:45 p.m.


Presented by

  • Kristof Provost
    @kprovst
    https://www.sigsegv.be/blog/

    Kristof is a freelance embedded software engineer specialising in network and video applications. He's a FreeBSD committer, maintainer of pf firewall in FreeBSD and a board member of the EuroBSDCon foundation. Kristof has an unfortunate tendency to stumble into uClibc bugs, and a burning hatred for FTP. Do not talk to him about IPv6 fragmentation.

Abstract

We're all convinced that automated tests are a good idea. For some applications (e.g. grep, awk, cc, ...) this is very straightforward. Others are a lot harder to test, for example firewalls. Typically testing firewalls takes two to three hosts. One to send traffic, the firewall test host and one to receive traffic. This makes automated test orchestration complex and brittle. This in turn means that tests either don't get written, are difficult to write and/or suffer random failures unrelated to issues in the firewall itself. Virtualisation has made this all somewhat easier, but it's still fiddly and difficult to make robust. It's also slow. The new FreeBSD network stack virtualisation lets us build on the existing jails system to build test setups, execute tests and clean up in mere seconds, without any requirement for additional hardware, or even hardware virtualisation support.