firewalld

Use the firewalld InSpec audit resource to test that firewalld is configured to allow and deny access to specific hosts, services and ports on a system.

A firewalld has a number of zones that can be configured to allow and deny access to specific hosts, services, and ports.


Syntax

describe firewalld do
  it { should be_running }
  its('default_zone') { should eq 'public' }
  it { should have_service_enabled_in_zone('ssh', 'public') }
  it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') }
end

Use the where clause to test open interfaces, sources, and services in active zones.

describe firewalld.where { zone == 'public' } do
  its('interfaces') { should cmp ['enp0s3', 'eno2'] }
  its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
  its('services') { should cmp ['ssh', 'icmp'] }
end


Properties

interfaces

The interfaces property is used in conjunction with the where class to display open interfaces in an active zone.

describe firewalld.where { zone == 'public' } do
  its('interfaces') { should cmp ['enp0s3', 'eno2'] }
end

sources

The sources property is used in conjunction with the where class to display open sources in an active zone.

describe firewalld.where { zone == 'public' } do
  its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
end

services

The services property is used in conjunction with the where class to display open services in an active zone.

describe firewalld.where { zone == 'public' } do
  its('services') { should cmp ['ssh', 'icmp'] }
end

default_zone

The default_zone property displays the default active zone to be used.

its('default_zone') { should eq 'public' }


Matchers

For a full list of available matchers, please visit our matchers page.

be_installed

The be_installed matcher tests if the firewalld service is installed:

it { should be_installed }

be_running

The be_running matcher tests if the firewalld service is running:

it { should be_running }

have_zone

have_zone returns true or false if the zone is set on firewalld. It does not mean the zone is active.

it { should have_zone('public') }

have_service_enabled_in_zone

have_service_enabled_in_zone returns true or false if the service is allowed in the specified zone.

it { should have_service_enabled_in_zone('ssh', 'public') }

have_port_enabled_in_zone

have_port_enabled_in_zone returns true or false if the port is allowed in the specified zone.

it { should have_port_enabled_in_zone('22/tcp', 'public') }

have_rule_enabled

have_rule_enabled returns true or false if the rich-rule has been specified in the zone.

it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') }

It is not necessary to add the “rule” string, and you can start with the optional flags that are used in firewalld and end with the action