VNC on ESXi Can Break Firewall

[dcarlojr]

Bug Report

Version of OpenNebula

• [ ] 5.2.2
• [ ] 5.4.0
• [X] 5.4.1
• [ ] 5.4.2
• [ ] 5.4.3
• [ ] 5.4.4
• [ ] 5.4.5
• [ ] 5.4.6
• [ ] 5.4.7
• [ ] Development build

Component

• [ ] Authorization (LDAP, x509 certs...)
• [ ] Command Line Interface (CLI)
• [ ] Contextualization
• [ ] Documentation
• [ ] Federation and HA
• [ ] Host, Clusters and Monitorization
• [ ] KVM
• [ ] Networking
• [ ] Orchestration (OpenNebula Flow)
• [ ] Packages
• [ ] Scheduler
• [ ] Storage & Images
• [ ] Sunstone
• [ ] Upgrades
• [ ] User, Groups, VDCs and ACL
• [X] vCenter (tested on ESXi/vCenter 6.5)

Description

The fw-vnc package for ESXi creates a firewall rule that opens ports 5900-65535. When a specific host is specified (ie esxcli network firewall ruleset allowedip add --ruleset-id VNC --ip-address 192.168.0.1/32) as the source, the ESXi host will restrict traffic to that specific hosts (ex 192.168.0.1/32) for other rules in the range of 5900-65535. I found this issue after the fw-vnc package broke vSAN by inadvertently blocking port 8080. As a workaround, I created a new firewall service in /etc/vmware/firewall that only opens 5900-5978. Any higher and I'm afraid of breaking the ESXi CIM service.

Expected Behavior

The /etc/vmware/firewall/vnc.xml file allowing traffic to all ports from 5900 and up to a specific host

Actual Behavior

Somehow, the VNC firewall rule in the fw-vnc package steps on other services in the 5900-65535 range.

How to reproduce

1. Verify that port 8080 is accessable from a remote host:

   # nc -z 192.168.0.1 8080
   Connection to 192.168.0.1 8080 port [tcp/webcache] succeeded!

2. Install fw-vnc on the ESXi host: # esxcli software vib install -v /tmp/fw-vnc.vib
3. Configre a single source IP:

   # esxcli network firewall ruleset set --ruleset-id VNC --allowed-all false
   # esxcli network firewall ruleset allowedip add --ruleset-id VNC --ip-address 192.168.0.1/32
   # esxcli network firewall unload
   # esxcli network firewall load
   # esxcli network firewall set --enabled true

4. Retest:

   # nc -z 192.168.0.1 8080
   <hangs>

Enhancement Request

Description

Use case

Interface Changes

Progress Status

• [x] Branch created
• [x] Code committed to development branch
• [x] Testing - QA
• [x] Documentation
• [x] Release notes - resolved issues, compatibility, known issues
• [x] Code committed to upstream release/hotfix branches
• [x] Documentation committed to upstream release/hotfix branches

[vholer]

List of ports to exclude: https://kb.vmware.com/s/article/2039095

[vholer]

Following PRs needs to be merged (following the instructions in the PRs):

• https://github.com/OpenNebula/one/pull/2400
• https://github.com/OpenNebula/docs/pull/359

Related vOneCloud issue https://github.com/OpenNebula/vonecloud/issues/11, will be fixed before next vOneCloud release.