Objective
Create automated test workflow that attempts to bypass the firewall through various attack vectors to validate defense-in-depth architecture.
Context
Current state: No dedicated firewall escape testing exists. Security posture validated through code review only.
Risk: Firewall could have undiscovered bypass vulnerabilities that static analysis doesn't catch.
Risk level: 🟡 MEDIUM - Missing validation of security controls
Implementation Approach
Create new GitHub Actions workflow .github/workflows/firewall-escape-test.yml with test scenarios:
Test Categories
-
DNS Exfiltration Attempts
- Try querying unauthorized DNS servers
- Attempt DNS tunneling to exfiltrate data
- Expected: All blocked, logged with
[FW_BLOCKED_UDP]
-
Port Scanning Attempts
- Try connecting to dangerous ports (22, 3306, 5432)
- Attempt ICMP ping to unauthorized hosts
- Expected: All blocked by iptables
-
iptables Rule Modification
- Try
iptables -F to flush rules
- Attempt to add ACCEPT rule for all traffic
- Expected: Permission denied (NET_ADMIN dropped)
-
Container Escape Attempts
- Try
mount to access host filesystem
- Attempt
ptrace on host processes
- Expected: Blocked by seccomp profile
-
Protocol Bypass Attempts
- Try QUIC/HTTP3 to bypass HTTP/HTTPS filtering
- Attempt raw socket creation
- Expected: NET_RAW capability missing
-
Domain Pattern Bypass
- Try overly broad patterns (
*, *.*)
- Attempt double-dot patterns (
example..com)
- Expected: Validation errors, container not started
Files to Create
.github/workflows/firewall-escape-test.yml - Main test workflowtests/security/escape-attempts.ts - Test script with all attack vectorstests/security/expected-blocks.json - Expected block patterns in logs
Files to Modify
README.md - Document security testing approach.github/workflows/test-agent-all.yml - Add dependency on escape tests
Testing Strategy
Each test should:
- Attempt the bypass technique
- Verify it was blocked
- Check logs for expected block messages
- Report failure if bypass succeeded
Acceptance Criteria
AI generated by Plan Command for discussion #302
Objective
Create automated test workflow that attempts to bypass the firewall through various attack vectors to validate defense-in-depth architecture.
Context
Current state: No dedicated firewall escape testing exists. Security posture validated through code review only.
Risk: Firewall could have undiscovered bypass vulnerabilities that static analysis doesn't catch.
Risk level: 🟡 MEDIUM - Missing validation of security controls
Implementation Approach
Create new GitHub Actions workflow
.github/workflows/firewall-escape-test.ymlwith test scenarios:Test Categories
DNS Exfiltration Attempts
[FW_BLOCKED_UDP]Port Scanning Attempts
iptables Rule Modification
iptables -Fto flush rulesContainer Escape Attempts
mountto access host filesystemptraceon host processesProtocol Bypass Attempts
Domain Pattern Bypass
*,*.*)example..com)Files to Create
.github/workflows/firewall-escape-test.yml- Main test workflowtests/security/escape-attempts.ts- Test script with all attack vectorstests/security/expected-blocks.json- Expected block patterns in logsFiles to Modify
README.md- Document security testing approach.github/workflows/test-agent-all.yml- Add dependency on escape testsTesting Strategy
Each test should:
Acceptance Criteria
Related to [plan] security improvements from threat model review #306