We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

ESXI 6 Firewall broken?


Felix
2016-02-16, 10:49 AM
Quote Originally Posted by therealjayz
Something is wrong with the OS template and its not possible to get the rules to load, I just get an error:
[jayz@ns524392:~] esxcli network firewall set --enabled true
Unable to load module /usr/lib/vmware/vmkmod/esxfw: Busy
This is odd, as our setup consists of the regular ESXi installer .iso, with just some added VIBs for better HW support and the enabled sshd.
I will check if I can reproduce this issue in our lab.

Best regards,
Felix

edit: in a first quick test I wasn't able to reproduce:
[root@nsXXXXXX:~] esxcli network firewall get
Default Action: DROP
Enabled: false
Loaded: true
[root@nsXXXXXX:~] esxcli network firewall set --enabled true
[root@nsXXXXXX:~] esxcli network firewall get
Default Action: DROP
Enabled: true
Loaded: true

therealjayz
2016-02-10, 03:51 PM
I am referring to the firewall within ESXI, not the OVH firewall. You can see my follow up. It turns out their is an issue in the OS template that causes the firewall rules not to load properly, in particular the IP filtering.

therealjayz
2016-02-10, 03:49 PM
The normal fw rule to drop all traffic that does not fit in a permitted pattern is set, but not enabled:
[jayz@ns524392:~] esxcli network firewall get
Default Action: DROP
Enabled: false
Loaded: true

Something is wrong with the OS template and its not possible to get the rules to load, I just get an error:
[jayz@ns524392:~] esxcli network firewall set --enabled true
Unable to load module /usr/lib/vmware/vmkmod/esxfw: Busy

Rebooting, maintenance mode, etc does not resolve this. But updating the OS image from VMware sources does. (If you try it, you will see very few files get changed).
[jayz@ns524392:~] vim-cmd /hostsvc/maintenance_mode_enter
'vim.Task:haTask-ha-host-vim.HostSystem.enterMaintenanceMode-10358'
[jayz@ns524392:~] esxcli network firewall ruleset set -e true -r httpClient
[jayz@ns524392:~] esxcli software profile update -d vmw-depot-index.xml -p ESXi-6.0.0-20160104001-standard
Update Result
Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
Reboot Required: true
VIBs Installed: VMware_bootbank_ehci-ehci-hcd_1.0-3vmw.600.1.26.3380124, VMware_bootbank_esx-base_6.0.0-1.26.3380124, VMware_bootbank_misc-drivers_6.0.0-1.26.3380124, VMware_bootbank_net-e1000e_3.2.2.1-1vmw.600.1.26.3380124, VMware_bootbank_net-tg3_3.131d.v60.4-2vmw.600.1.26.3380124, VMware_bootbank_xhci-xhci_1.0-3vmw.600.1.26.3380124, VMware_locker_tools-light_6.0.0-1.26.3380124
VIBs Removed: VMware_bootbank_ehci-ehci-hcd_1.0-3vmw.600.0.0.2494585, VMware_bootbank_esx-base_6.0.0-1.17.3029758, VMware_bootbank_misc-drivers_6.0.0-1.17.3029758, VMware_bootbank_net-e1000e_2.5.4-6vmw.600.0.0.2494585, VMware_bootbank_net-tg3_3.131d.v60.4-1vmw.600.0.0.2494585, VMware_bootbank_xhci-xhci_1.0-2vmw.600.1.17.3029758, VMware_locker_tools-light_6.0.0-1.17.3029758
VIBs Skipped: VMWARE_bootbank_mtip32xx-native_3.8.5-1vmw.600.0.0.2494585, VMware_bootbank_ata-pata-amd_0.3.10-3vmw.600.0.0.2494585, VMware_bootbank_ata-pata-atiixp_0.4.6-4vmw.600.0.0.2494585, VMware_bootbank_ata-pata-cmd64x_0.2.5-3vmw.600.0.0.2494585, VMware_bootbank_ata-pata-hpt3x2n_0.3.4-3vmw.600.0.0.2494585, VMware_bootbank_ata-pata-pdc2027x_1.0-3vmw.600.0.0.2494585, VMware_bootbank_ata-pata-serverworks_0.4.3-3vmw.600.0.0.2494585, VMware_bootbank_ata-pata-sil680_0.4.8-3vmw.600.0.0.2494585, VMware_bootbank_ata-pata-via_0.3.3-2vmw.600.0.0.2494585, VMware_bootbank_block-cciss_3.6.14-10vmw.600.0.0.2494585, VMware_bootbank_cpu-microcode_6.0.0-0.0.2494585, VMware_bootbank_elxnet_10.2.309.6v-1vmw.600.0.0.2494585, VMware_bootbank_emulex-esx-elxnetcli_10.2.309.6v-0.0.2494585, VMware_bootbank_esx-dvfilter-generic-fastpath_6.0.0-0.0.2494585, VMware_bootbank_esx-tboot_6.0.0-0.0.2494585, VMware_bootbank_esx-xserver_6.0.0-0.0.2494585, VMware_bootbank_ima-qla4xxx_2.02.18-1vmw.600.0.0.2494585, VMware_bootbank_ipmi-ipmi-devintf_39.1-4vmw.600.0.0.2494585, VMware_bootbank_ipmi-ipmi-msghandler_39.1-4vmw.600.0.0.2494585, VMware_bootbank_ipmi-ipmi-si-drv_39.1-4vmw.600.0.0.2494585, VMware_bootbank_lpfc_10.2.309.8-2vmw.600.0.0.2494585, VMware_bootbank_lsi-mr3_6.605.08.00-7vmw.600.1.17.3029758, VMware_bootbank_lsi-msgpt3_06.255.12.00-8vmw.600.1.17.3029758, VMware_bootbank_lsu-hp-hpsa-plugin_1.0.0-1vmw.600.0.0.2494585, VMware_bootbank_lsu-lsi-lsi-mr3-plugin_1.0.0-2vmw.600.0.11.2809209, VMware_bootbank_lsu-lsi-lsi-msgpt3-plugin_1.0.0-1vmw.600.0.0.2494585, VMware_bootbank_lsu-lsi-megaraid-sas-plugin_1.0.0-2vmw.600.0.11.2809209, VMware_bootbank_lsu-lsi-mpt2sas-plugin_1.0.0-4vmw.600.1.17.3029758, VMware_bootbank_lsu-lsi-mptsas-plugin_1.0.0-1vmw.600.0.0.2494585, VMware_bootbank_misc-cnic-register_1.78.75.v60.7-1vmw.600.0.0.2494585, VMware_bootbank_net-bnx2_2.2.4f.v60.10-1vmw.600.0.0.2494585, VMware_bootbank_net-bnx2x_1.78.80.v60.12-1vmw.600.0.0.2494585, VMware_bootbank_net-cnic_1.78.76.v60.13-2vmw.600.0.0.2494585, VMware_bootbank_net-e1000_8.0.3.1-5vmw.600.0.0.2494585, VMware_bootbank_net-enic_2.1.2.38-2vmw.600.0.0.2494585, VMware_bootbank_net-forcedeth_0.61-2vmw.600.0.0.2494585, VMware_bootbank_net-igb_5.0.5.1.1-5vmw.600.0.0.2494585, VMware_bootbank_net-ixgbe_3.7.13.7.14iov-20vmw.600.0.0.2494585, VMware_bootbank_net-mlx4-core_1.9.7.0-1vmw.600.0.0.2494585, VMware_bootbank_net-mlx4-en_1.9.7.0-1vmw.600.0.0.2494585, VMware_bootbank_net-nx-nic_5.0.621-5vmw.600.0.0.2494585, VMware_bootbank_net-vmxnet3_1.1.3.0-3vmw.600.0.0.2494585, VMware_bootbank_nmlx4-core_3.0.0.0-1vmw.600.0.0.2494585, VMware_bootbank_nmlx4-en_3.0.0.0-1vmw.600.0.0.2494585, VMware_bootbank_nmlx4-rdma_3.0.0.0-1vmw.600.0.0.2494585, VMware_bootbank_nvme_1.0e.0.35-1vmw.600.1.17.3029758, VMware_bootbank_ohci-usb-ohci_1.0-3vmw.600.0.0.2494585, VMware_bootbank_qlnativefc_2.0.12.0-5vmw.600.0.0.2494585, VMware_bootbank_rste_2.0.2.0088-4vmw.600.0.0.2494585, VMware_bootbank_sata-ahci_3.0-22vmw.600.1.17.3029758, VMware_bootbank_sata-ata-piix_2.12-10vmw.600.0.0.2494585, VMware_bootbank_sata-sata-nv_3.5-4vmw.600.0.0.2494585, VMware_bootbank_sata-sata-promise_2.12-3vmw.600.0.0.2494585, VMware_bootbank_sata-sata-sil24_1.1-1vmw.600.0.0.2494585, VMware_bootbank_sata-sata-sil_2.3-4vmw.600.0.0.2494585, VMware_bootbank_sata-sata-svw_2.3-3vmw.600.0.0.2494585, VMware_bootbank_scsi-aacraid_1.1.5.1-9vmw.600.0.0.2494585, VMware_bootbank_scsi-adp94xx_1.0.8.12-6vmw.600.0.0.2494585, VMware_bootbank_scsi-aic79xx_3.1-5vmw.600.0.0.2494585, VMware_bootbank_scsi-bnx2fc_1.78.78.v60.8-1vmw.600.0.0.2494585, VMware_bootbank_scsi-bnx2i_2.78.76.v60.8-1vmw.600.0.11.2809209, VMware_bootbank_scsi-fnic_1.5.0.45-3vmw.600.0.0.2494585, VMware_bootbank_scsi-hpsa_6.0.0.44-4vmw.600.0.0.2494585, VMware_bootbank_scsi-ips_7.12.05-4vmw.600.0.0.2494585, VMware_bootbank_scsi-megaraid-mbox_2.20.5.1-6vmw.600.0.0.2494585, VMware_bootbank_scsi-megaraid-sas_6.603.55.00-2vmw.600.0.0.2494585, VMware_bootbank_scsi-megaraid2_2.00.4-9vmw.600.0.0.2494585, VMware_bootbank_scsi-mpt2sas_19.00.00.00-1vmw.600.0.0.2494585, VMware_bootbank_scsi-mptsas_4.23.01.00-9vmw.600.0.0.2494585, VMware_bootbank_scsi-mptspi_4.23.01.00-9vmw.600.0.0.2494585, VMware_bootbank_scsi-qla4xxx_5.01.03.2-7vmw.600.0.0.2494585, VMware_bootbank_uhci-usb-uhci_1.0-3vmw.600.0.0.2494585, VMware_bootbank_vsanhealth_6.0.0-3000000.2.0.1.17.2972216
[jayz@ns524392:~] reboot

And now, It works:
[jayz@ns524392:~] esxcli network firewall set --enabled true
[jayz@ns524392:~] esxcli network firewall get
Default Action: DROP
Enabled: true
Loaded: true

In conclusion, these are not spoofed IPs trying to brute my server. This is just a case of the firewall not working properly out of the box. The above should fix it for everyone. You might want to look at the template and adjust so that "out of the box" IP filtering is working properly.

I understand that OVH provides a very robust firewall right in the control panel but for many people, like myself that might not be ideal.

James @ OVH
2016-02-10, 01:20 PM
Hello,

The OVH Firewall protects against all external incoming traffic. In this case it is possible that if you are using the OVH firewall that you are receiving traffic from servers within OVHs datacenters. This is why it is still important to use you OSs firewall or another solution of your choice.

Here is a link to the OVH firewall guide: http://docs.ovh.ca/en/guides-network-firewall.html

If this is not the case I would like to suggest opening a support ticket or giving us a call.

Thank you!

James @ OVH
+1 855 684 5463

therealjayz
2016-02-10, 12:17 PM
Wondering if anyone else has seen this?

I have 3 OVH servers, 1 on OVH and 2 on sys. One is a clean install of esxi6 using the OVH image. I have noticed that even with the firewall enabled and IP restrictions in place my event logs are filling up with brute force attempts on SSH. Technically this should not happen. The firewall should block it. To test, I removed my own IP from the firewall and sure enough, I can still login. Not good.

I tested my other 2 servers. 1 is a sys server running esxi 6. It to has the same issue. It's like the IP restrictions are being ignored. The 3rd however is behaving properly. Whats unique about this 3rd server is its quite old. It started as esxi 4.x and has be upgraded via the CLI and vmware source files over the last 2 or so years to version 6.
So is it possible that the OVH image has a flaw in the firewall component of the OS image?

Yes, I can use OVH's own firewall services but thats not the point and it will be headache when considering other things I have to do...