Skip to content

feat(validation): add firewall validation for iptables/ufw rules#81

Merged
drewmalin merged 4 commits intomainfrom
feat/firewall-validation
Feb 1, 2026
Merged

feat(validation): add firewall validation for iptables/ufw rules#81
drewmalin merged 4 commits intomainfrom
feat/firewall-validation

Conversation

@theFong
Copy link
Member

@theFong theFong commented Jan 31, 2026
edited
Loading

Summary

  • Add networking_validation.go with ValidateFirewallBlocksPort and ValidateDockerFirewallBlocksPort to verify servers on 0.0.0.0 are not accessible from outside
  • Extract instance validation functions to instance_validation.go for better organization
  • Add RunFirewallValidation standalone suite for comprehensive firewall testing
  • Integrate ValidateFirewallBlocksPort and ValidateDockerFirewallBlocksPort into RunInstanceLifecycleValidation

This validates that the iptables rules from BREV-2599 are working correctly by verifying that Docker containers binding to 0.0.0.0 on non-allowed ports cannot be reached from outside.

Validation Proof

Tested via PR #82 which flushed the DOCKER-USER iptables chain to simulate the vulnerable state:

Without iptables rules (vulnerable):

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
(empty - no rules)

Result: port 9999 is accessible from outside but should be blocked by firewall (attempt 1 succeeded)FAIL

With iptables rules (secure):

Chain DOCKER-USER (1 references)
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Result: checkPortBlocked: confirmed port 9999 is blocked after 3 attemptsPASS

Test plan

@theFong theFong requested a review from a team as a code owner January 31, 2026 17:36
@theFong theFong force-pushed the feat/firewall-validation branch from 82c3e37 to 0f596bf Compare January 31, 2026 17:45
@theFong theFong mentioned this pull request Jan 31, 2026
Closed
@theFong theFong force-pushed the feat/firewall-validation branch 6 times, most recently from aa737f6 to f592a04 Compare January 31, 2026 19:41
@theFong theFong mentioned this pull request Jan 31, 2026
Merged
@theFong @drewmalin
feat(validation): add firewall validation for iptables/ufw rules
1ef1ba1 
- Add networking_validation.go with ValidateFirewallBlocksPort and
  ValidateDockerFirewallBlocksPort to verify servers on 0.0.0.0 are
  not accessible from outside
- Extract instance validation functions to instance_validation.go
- Add RunFirewallValidation to validation suite
- Integrate ValidateFirewallBlocksPort into RunInstanceLifecycleValidation
@theFong @drewmalin
always run docker
37e47b1
@drewmalin drewmalin force-pushed the feat/firewall-validation branch from ca7bb68 to 37e47b1 Compare February 1, 2026 17:33
@drewmalin
Copy link
Contributor

drewmalin commented Feb 1, 2026

Rebasing on main to ensure nebius tests now pass

@drewmalin drewmalin merged commit 8d653f4 into main Feb 1, 2026
7 of 8 checks passed
@drewmalin drewmalin deleted the feat/firewall-validation branch February 1, 2026 19:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@drewmalin drewmalin drewmalin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@theFong @drewmalin