V4V firewall (viptables) rules
- Ross Philipson
- Jason Andryuk
- Jed
Copyright 2016 by Assured Information Security, Inc. Created by Jean-Edouard Lejosne <lejosnej@ainfosec.com>. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.
Location
V4V firewall rules for the different VM types (and their stubdoms) are defined in VM templates:
https://github.com/OpenXT/manager/tree/master/templates/default
Rule management
The toostack sets the default rule to REJECT.
Since there is no notion of connection state in the Xen V4V code, for each VMA → VMB:port, we have to define 2 ACCEPT rules:
- VMA:* → VMB:port
- VMB:port → VMA:*
Note: "*" can now be replaced with a pre-defined port (usually port + 10000) to make things safer.
When using a wildcard, if a malicious process in VMB manages to use "port" as its "from" port, then it can access all the VMA V4V services...
Rules
DOM0
- can talk to UIVM and NDVMÂ from port 12222 to port 2222
used for: sshv4v - can talk to NDVMÂ from port 15555 to port 5555
used for: dbus (probably network-master talking to network-slave)
UIVM
- can talk to DOM0 on port 80
used for: the web UI - can talk to DOM0 on port 2222
used for: sshv4v (ctrl-shift-t) - can talk to DOM0 on port 4878
used for: icbinn - can talk to DOM0 on port 5555
used for: dbus for UI scripts, see https://github.com/OpenXT/xenclient-oe/tree/master/recipes-openxt/xenclient/xenclient-uivm-xsessionconfig - can talk to DOM0 on port 8080
used for: special web UI requests - can talk to NDVM on port 5555
used for: dbus (nm-applet talking to networkmanager)
NDVM
- can talk to DOM0 on port 4878
used for: icbinn - can talk to DOM0 on port 5555
used for: dbus (network-slave talking to network-master?)
SYNCVM
- can talk to DOM0 on port 4878
used for: icbinn and vhd-util env var LIBVHD_ICBINN_VHD_SERVER - can talk to DOM0 on port 4879
used for: vhd-util env var LIBVHD_ICBINN_KEY_SERVER - can talk to DOM0 on port 5556
used for: dbus (sync-client-daemon issuing dbus commands to xenmgr)
Regular guests
Can't talk to anything
Stubdomains
can talk to DOM0 on port 4001
used for: dmbus service 1can talk to DOM0 on port 4002
used for: dmbus service 2can talk to DOM0 on port 5000
used for: atapi_pt_helpercan talk to DOM0 on port 5001
used for: audio_helper- can talk to DOM0 on port 5100
used for: qmp_helper - proxy QEMU Machine Protocol (QMP) commands