def test_firewall_block_packet(self):
"""Verify firewall blocks a packet that doesn't match a rule."""
fw = Firewall()
fw.add_fw_rule(
FirewallRule(direction="inbound",
protocol="tcp",
port="80",
ip_address="192.168.1.2"))
self.assertFalse(
fw.accept_packet(direction="outbound",
protocol="tcp",
port=80,
ip_address="192.168.1.2"))
self.assertFalse(
fw.accept_packet(direction="inbound",
protocol="udp",
port=80,
ip_address="192.168.1.2"))
self.assertFalse(
fw.accept_packet(direction="inbound",
protocol="udp",
port=81,
ip_address="192.168.1.2"))
self.assertFalse(
fw.accept_packet(direction="outbound",
protocol="tcp",
port=80,
ip_address="192.168.1.3"))
def testAcceptPacketFalse(self):
firewall = Firewall('allow_rules.csv')
self.assertEqual(
firewall.accept_packet("inbound", "tcp", 81, "192.168.1.2"), False)
self.assertEqual(
firewall.accept_packet("inbound", "udp", 24, "52.12.48.92"), False)
def test_firewall_allow_range_ipaddr_packet(self):
"""
Verify firewall allows a packet that matches a rule with ranged IP
addresses.
"""
fw = Firewall()
fw.add_fw_rule(
FirewallRule(direction="inbound",
protocol="tcp",
port="80",
ip_address="0.0.0.0-255.255.255.255"))
self.assertTrue(
fw.accept_packet(direction="inbound",
protocol="tcp",
port=80,
ip_address="0.0.0.0"))
self.assertTrue(
fw.accept_packet(direction="inbound",
protocol="tcp",
port=80,
ip_address="255.255.255.255"))
self.assertTrue(
fw.accept_packet(direction="inbound",
protocol="tcp",
port=80,
ip_address="192.168.1.2"))
def test_firewall_allow_range_port_packet(self):
"""
Verify firewall allows a packet that matches a rule with ranged port
numbers.
"""
fw = Firewall()
fw.add_fw_rule(
FirewallRule(direction="inbound",
protocol="tcp",
port="1-65535",
ip_address="192.168.1.2"))
self.assertTrue(
fw.accept_packet(direction="inbound",
protocol="tcp",
port=1,
ip_address="192.168.1.2"))
self.assertTrue(
fw.accept_packet(direction="inbound",
protocol="tcp",
port=65535,
ip_address="192.168.1.2"))
self.assertTrue(
fw.accept_packet(direction="inbound",
protocol="tcp",
port=30000,
ip_address="192.168.1.2"))
def test_tcp(self):
path = "rules.csv"
firewall = Firewall(path)
assert firewall.accept_packet("inbound", "tcp", 80, "192.168.1.2") == True
assert firewall.accept_packet("outbound", "tcp", 10234, "192.168.10.11") == True
assert firewall.accept_packet("inbound", "tcp", 81, "192.168.1.2") == False
assert firewall.accept_packet("outbound", "tcp", 20000, "192.168.10.11") == True
assert firewall.accept_packet("inbound", "tcp", 800, "192.168.1.2") == False
def test_udp(self):
path = "rules.csv"
firewall = Firewall(path)
assert firewall.accept_packet("inbound", "udp", 53, "192.168.2.1") == True
assert firewall.accept_packet("inbound", "udp", 24, "52.12.48.92") == False
assert firewall.accept_packet("inbound", "udp", 57, "192.168.1.1") == False
assert firewall.accept_packet("outbound", "udp", 1000, "52.12.48.92") == True
assert firewall.accept_packet("outbound", "udp", 1500, "52.12.48.93") == False
def common_cases():
f = Firewall('test_input.csv')
assert f.accept_packet("inbound", "tcp", 80, "192.168.1.2")
assert f.accept_packet("inbound", "udp", 53, "192.168.2.1")
assert not f.accept_packet("inbound", "tcp", 81, "192.168.1.2")
assert not f.accept_packet("inbound", "udp", 24, "52.12.48.92")
print('Base Cases Passed')
def test_sample_small():
print('Test firewall with', sample_small)
fw = Firewall(sample_small)
print(fw.accept_packet("inbound", "tcp", 80, "192.168.1.2") == True)
print(fw.accept_packet("inbound", "udp", 53, "192.168.2.1") == True)
print(fw.accept_packet("outbound", "tcp", 10234, "192.168.10.11") == True)
print(fw.accept_packet("inbound", "tcp", 81, "192.168.1.2") == False)
print(fw.accept_packet("inbound", "udp", 24, "52.12.48.92") == False)
print(fw.accept_packet("inbound", "tcp", 80, "192.168.1.3") == False)
def testAcceptPacketTrue(self):
firewall = Firewall('allow_rules.csv')
self.assertEqual(
firewall.accept_packet("inbound", "udp", 53, "192.168.2.5"), True)
self.assertEqual(
firewall.accept_packet("inbound", "tcp", 20, "192.168.1.101"),
True)
self.assertEqual(
firewall.accept_packet("inbound", "udp", 53, "192.168.2.1"), True)
self.assertEqual(
firewall.accept_packet("outbound", "tcp", 10234, "192.168.10.11"),
True)
def large_set():
f = Firewall('large_set.csv')
start = time.time()
# test overlap in part of ip range does not affect port validity
for i in range(100):
assert not f.accept_packet('inbound','tcp',1,'192.168.1.2')
end = time.time()
assert end-start<TIME_REQ
print('Large Set Passed')
def test_firewall_block_range_ipaddr_packet(self):
"""
Verify firewall blocks a packet that doesn't match a rule with ranged
IP addresses.
"""
fw = Firewall()
fw.add_fw_rule(
FirewallRule(direction="inbound",
protocol="tcp",
port="80",
ip_address="192.168.1.2-192.168.2.1"))
self.assertFalse(
fw.accept_packet(direction="inbound",
protocol="tcp",
port=80,
ip_address="192.168.1.1"))
self.assertFalse(
fw.accept_packet(direction="inbound",
protocol="tcp",
port=91,
ip_address="192.168.2.2"))
def edge_cases():
f = Firewall('edge_case.csv')
# test overlap in part of ip range does not affect port validity
assert not f.accept_packet("inbound", "tcp", 89, "192.168.2.3")
# test present ip range overlap does not affect port validity
assert f.accept_packet("inbound", "tcp", 80, "192.168.1.9")
# test port range is inclusive
assert f.accept_packet("inbound", "tcp", 53, "192.168.1.2")
assert f.accept_packet("inbound", "tcp", 79, "192.168.1.2")
# test ip address range is inclusive
assert f.accept_packet("inbound", "tcp", 80, "192.168.2.5")
assert f.accept_packet("inbound", "tcp", 80, "192.168.1.1")
# test out of ip range by one.
assert not f.accept_packet("inbound", "tcp", 88, "192.168.2.0")
# test packet is only tested against applicable rules
assert not f.accept_packet("outbound", "tcp", 80, "192.168.2.0")
print('Edge Cases Passed')
# testing/executable file
from firewall import Firewall
import time
FILE_PATH = 'rules.csv'
if __name__ == '__main__':
x = time.time()
fw = Firewall(FILE_PATH)
print(time.time()-x)
print(fw.accept_packet("inbound", "tcp", 80, "192.168.1.2")) # matches first rule
print(fw.accept_packet("inbound", "udp", 53, "192.168.2.1")) # matches third rule
print(fw.accept_packet("outbound", "tcp", 10234, "192.168.10.11")) # matches second rule
print(fw.accept_packet("inbound", "tcp", 81, "192.168.1.2"))
print(fw.accept_packet("inbound", "udp", 24, "52.12.48.92"))
print(fw.accept_packet("outbound", "tcp", 550, "192.229.0.0"))
print(fw.accept_packet("inbound", "tcp", 1000, "10.89.228.24"))
print(fw.accept_packet("inbound", "udp", 65535, "255.255.255.255"))
print(time.time()-x)
cur = 1
while os.path.isfile("tests/fw" + str(cur) + ".csv") and os.path.isfile("tests/test" + str(cur) + ".csv"):
print("TEST: " + str(cur))
# Construct Firewall Class
fw = Firewall("tests/fw" + str(cur) + ".csv")
# Parse each line of test csv file
with open("tests/test" + str(cur) + ".csv", 'r') as f:
reader = csv.reader(f)
for line in reader:
if 5 != len(line):
print("Invalid format in input")
print(line)
sys.exit()
transaction = line[0]
transport = line[1]
port = int(line[2])
ip = line[3]
expected = line[4]
if expected == "True":
expected = True
else:
expected = False
# Check if expected value matches with actual response of firewall
if expected == fw.accept_packet(transaction, transport, port, ip):
print(" PASS: "******" " + transport + " Port:" + str(port) + " IP:" + ip + " Expected:" + str(expected))
else:
print(" FAIL: " + transaction + " " + transport + " Port:" + str(port) + " IP:" + ip + " Expected:" + str(expected))
cur += 1
from firewall import Firewall
fw = Firewall('./test_files/sample_small.csv')
print(fw.accept_packet("inbound", "tcp", 80, "192.168.1.2"))
for num in range(0, num_combo):
rules.append(self.__generate_combo_rule())
# Shuffle the rules to mix them up!
random.shuffle(rules)
return rules
if __name__ == '__main__':
# Initialize a new test rules generator
generator = RuleGenerator()
generator.generate_and_write_rules('./generated_rules.csv', 1000000,
100000, 100000, 5000)
print('Created test generator with 1000000 rules')
# Create a new Firewall instance with the generated rules
firewall = Firewall('./generated_rules.csv')
# Generate some rules now
request_list = generator.generate_test_requests(1000)
print('Created test case with 1000 requests')
# Evaluate the time taken to process the n requests
start = default_timer()
for request in request_list:
firewall.accept_packet(request[0], request[1], int(request[2]),
request[3])
end = default_timer()
print(len(request_list), 'requests processed in', (end - start), 'seconds')
from firewall import Firewall
import sys
from time import time as timer
if (len(sys.argv) == 1):
print("Please include an input csv file as an argument")
exit()
csv_file = sys.argv[1]
fw = Firewall(csv_file)
begTime = timer()
print(fw.accept_packet("inbound", "tcp", 80, "192.168.1.2"))
print(fw.accept_packet("inbound", "udp", 53, "192.168.2.1"))
print(fw.accept_packet("outbound", "tcp", 10234, "192.168.10.11"))
print(fw.accept_packet("inbound", "tcp", 81, "192.168.1.2"))
print(fw.accept_packet("inbound", "udp", 24, "52.12.48.92"))
# 5 test cases, elapsed time: 0.00011086463928222656 sec
elapsed_time = timer() - begTime
print("Elapsed time: ")
print(elapsed_time)
from firewall import Firewall
# Check provided tests
print("PROVIDED")
fw_provided = Firewall('provided_example.csv')
assert(fw_provided.accept_packet("inbound", "tcp", 80, "192.168.1.2")) # matches first rule
assert(fw_provided.accept_packet("inbound", "udp", 53, "192.168.2.1")) # matches third rule
assert(fw_provided.accept_packet("outbound", "tcp", 10234, "192.168.10.11")) # matches second rule true
assert(fw_provided.accept_packet("inbound", "tcp", 81, "192.168.1.2")==False)
#false
assert(fw_provided.accept_packet("inbound", "udp", 24, "52.12.48.92")==False)
#false
# Check if a full range (always returns true)
print("\nFULL RANGE")
fw_full_range = Firewall('full_range.csv')
assert(fw_full_range.accept_packet("inbound", "tcp", 1, "0.0.0.0"))
assert(fw_full_range.accept_packet("inbound", "tcp", 22, "125.255.35.8"))
assert(fw_full_range.accept_packet("inbound", "tcp", 65535, "255.255.255.255"))
# Checks that values in one dir/protocol do NOT affect another
# Also checks that functions work on empty lists
assert(fw_full_range.accept_packet("inbound", "udp", 1, "0.0.0.0")==False)
assert(fw_full_range.accept_packet("outbound", "tcp", 22, "125.255.35.8")==False)
assert(fw_full_range.accept_packet("outbound", "udp", 65535, "255.255.255.255")==False)
# Tests every input for a complex, overlapping rule structure
print("\nOVERLAPS")
fw_many_overlaps = Firewall('overlaps.csv')
from firewall import Firewall
class TestFirewall(object):
def __init__(self):
pass
def generate_test_cases(self):
test_df = pd.read_csv('test_packets.csv')
return test_df
if __name__ == "__main__":
firewall = Firewall('rules.csv')
test = TestFirewall()
packets_df = test.generate_test_cases()
# Test firewall for all packets in the file
for index, packet in packets_df.iterrows():
print(
firewall.accept_packet(packet[0], packet[1], packet[2], packet[3]))
('outbound', 'udp', 100, '255.255.255.255'),
('outbound', 'udp', 100, '1.2.3.4'),
]
false_inputs = [
('inbound', 'udp', 9, '192.168.1.2'),
('outbound', 'tcp', 11, '192.168.1.2'),
('inbound', 'udp', 10, '192.168.1.1'),
('outbound', 'udp', 10, '192.168.1.3'),
('inbound', 'tcp', 19, '192.168.1.5'),
('outbound', 'tcp', 20, '192.168.1.4'),
('inbound', 'udp', 25, '192.168.1.1'),
('outbound', 'udp', 25, '192.168.1.11'),
('inbound', 'tcp', 25, '192.168.2.6'),
('inbound', 'tcp', 29, '192.20.9.10'),
('outbound', 'tcp', 30, '192.19.100.100'),
('outbound', 'udp', 31, '192.200.2.0'),
('inbound', 'tcp', 58, '192.168.1.9'),
('outbound', 'udp', 99, '0.0.0.0'),
('outbound', 'udp', 99, '255.255.255.254'),
]
fw = Firewall('./test1.csv')
for args in true_inputs:
if not fw.accept_packet(*args):
print("Failed! VALID arg {} returned FALSE".format(args))
for args in false_inputs:
if fw.accept_packet(*args):
print("Failed! INVALID arg {} returned TRUE".format(args))
from firewall import Firewall
import sys
from time import time as timer
if (len(sys.argv) == 1):
print("Please include an input csv file as an argument")
exit()
csv_file = sys.argv[1]
fw = Firewall(csv_file)
begTime = timer()
print(fw.accept_packet("inbound", "tcp", 81, "192.168.1.2"))
print(fw.accept_packet("inbound", "tcp", 53, "192.168.2.1"))
print(fw.accept_packet("outbound", "tcp", 20000, "192.168.10.11"))
print(fw.accept_packet("outbound", "udp", 1021, "52.12.48.92"))
for i in range(1, 500000):
# 500004 test cases, elapsed time: 17.200738191604614 sec
print(fw.accept_packet("inbound", "tcp", i, "192.168.1.1"))
# print time:
elapsed_time = timer() - begTime
print("Elapsed time: ")
print(elapsed_time)
# Sample test
from firewall import Firewall
fw = Firewall('rule1.csv')
print(fw.accept_packet("inbound", "tcp", 80, "192.168.1.2")) # return True
print(fw.accept_packet("inbound", "udp", 53, "192.168.2.1")) # return True
print(fw.accept_packet("outbound", "tcp", 10234,
"192.168.10.11")) # return True
print(fw.accept_packet("inbound", "tcp", 81, "192.168.1.2")) # return False
print(fw.accept_packet("inbound", "udp", 24, "52.12.48.92")) # return False
