snowdrift is a unit testing for firewall rules.

snowdrift is a unit testing for firewall rules.

snowdrift is a unit testing for firewall rules. It will change your workflow for the better.

This utility aims to automate that by having “rules files” which this script then procesess and will SSH into each machine and try connecting to the target host on the specified port.

By writing and saving rules file, you now have unit test-like ability for testing firewall changes. After changes are made, you can use this script to verify correctness of firewall operation, as opposed to having to SSH to different machines by hand, run netcat manually, and then run Traceroute manually to send back to the firewall team.
+ Test TCP connectivity from any host you can SSH to to any other target host
+ Test UDP connectivty for DNS by making DNS queries from any host you can SSH to to any other target host
+ Support for a range of hosts using the “[01-nn]” notation found in Ansible inventories.
+ Support for running traceroute and tcptraceroute when a connection fails.
+ Custom DNS queries can be made, with NXDOMAIN results being handled properly
+ Statistics for each Rule File tested against as well as the total run
+ Basic SSH connectivity to each host is checked and its state remembered, so that if there are many rules for a host you cannot SSH into, you will only see one error from the first instead of potentially dozens of errors.

How It Works?
The underlying mechanism is pretty starightforward: for each source host, this script will SSH into that host and run netcat (if testing TCP) or dig (if testing DNS) against the target host. It will then report the results back to you.


+ ssh-agent running, with keys to all machines you want to SSH to.
+ Bash
+ netcat (nc) installed on all machines you are testing from
+ dig installed on all machines your are testing DNS from
+ SSH Agent is set up so that you can SSH into machines you are testing from without a password
+ tcptraceroute installed on machines you want to run a TCP traceroute from

The following environment variables can be set to output debugging info:
+ DEBUG_CMD – Print out the command sent to SSH
+ DEBUG_SSH_CHECK – Print out the logic used to check whether we can SSH into a host or not
+ DEBUG_CMD_OUTPUT – Print the raw output from the SSH command

Testing can be done via docker, simply cd into the testing/ directory and run the script This will spin up some docker containers, and test the app from inside them.

Use and Download: