B #1728: Restrict VNC via ESX firewall VIB package on non-conflicting ports (#2400)

From ports range 5900 - 11999.
2025-03-25 02:50:08 +03:00 · 2018-09-07 15:29:48 +02:00 · 2018-09-07 15:29:48 +02:00 · e2f54c68fb
commit e2f54c68fb
parent 7be6e601f0
4 changed files with 164 additions and 5 deletions
--- a/share/esx-fw-vnc/fw-vnc.vib
+++ b/share/esx-fw-vnc/fw-vnc.vib
--- a/share/esx-fw-vnc/fw-vnc.zip
+++ b/share/esx-fw-vnc/fw-vnc.zip
--- a/share/esx-fw-vnc/vib/descriptor.xml
+++ b/share/esx-fw-vnc/vib/descriptor.xml
@ -2,7 +2,7 @@
 <vib version="5.0">
  <type>bootbank</type>
  <name>fw-vnc</name>
-  <version>1.0.0-1</version>
+  <version>1.1.0-1</version>
  <vendor>OpenNebulaSystems</vendor>
  <summary>Firewall rules to enable VNC traffic</summary>
  <description>Firewall rules to enable VNC traffic</description>
--- a/share/esx-fw-vnc/vib/payloads/fw-vnc/etc/vmware/firewall/vnc.xml
+++ b/share/esx-fw-vnc/vib/payloads/fw-vnc/etc/vmware/firewall/vnc.xml
@ -1,16 +1,175 @@
 <ConfigRoot>
  <service>
    <id>VNC</id>
-    <rule>
+    <enabled>true</enabled>
+    <required>false</required>
+
+    <!--
+        Documentation
+        =============
+        - https://kb.vmware.com/s/article/2039095
+        - vSphere 5.5: https://docs.vmware.com/en/VMware-vSphere/5.5/com.vmware.vsphere.install.doc/GUID-925370DD-E3D1-455B-81C7-CB28AAF20617.html
+        - vSphere 6.0: https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.install.doc/GUID-171B99EA-15B3-4CC5-8B9A-577D8336FAA0.html
+        - vSphere 6.5: https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-171B99EA-15B3-4CC5-8B9A-577D8336FAA0.html
+        - vSphere 6.7: https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.esxi.upgrade.doc/GUID-171B99EA-15B3-4CC5-8B9A-577D8336FAA0.html
+
+        Excluded ports from range 5900 - 11999 (both TCP/UDP ports)
+        ===========================================================
+        5988 - CIM Server
+        5989 - CIM Secure Server
+        6999 - NSX Virtual Distributed Router
+        8000 - vMotion
+        8042 - VMware HA
+        8043 - VMware HA
+        8044 - VMware HA
+        8045 - VMware HA
+        8080 - vSAN VASA Vendor Provider
+        8100 - vSphere Fault Tolerance
+        8182 - vSphere High Availability
+        8200 - vSphere Fault Tolerance
+        8300 - vSphere Fault Rolerance
+        8301 - DVSSync
+        8302 - DVSSync
+        8889 - CIM Server
+        9000 - vSphere Update Manager
+        9080 - I/O Filter Service
+
+        OpenNebula oned.conf VNC_PORTS configuration
+        ============================================
+        VNC_PORTS = [
+            START    = 5900,
+            RESERVED = "5988:5989, 6999, 8000, 8042:8045, 8080, 8100, 8182, 8200, 8300:8302, 8889, 9000, 9080, 12000:65535"
+        ]
+      -->
+
+    <rule id='0000'>
      <direction>inbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>
        <begin>5900</begin>
-        <end>65535</end>
+        <end>5987</end>
+      </port>
+    </rule>
+
+    <rule id='0001'>
+      <direction>inbound</direction>
+      <protocol>tcp</protocol>
+      <porttype>dst</porttype>
+      <port>
+        <begin>5990</begin>
+        <end>6998</end>
+      </port>
+    </rule>
+
+    <rule id='0002'>
+      <direction>inbound</direction>
+      <protocol>tcp</protocol>
+      <porttype>dst</porttype>
+      <port>
+        <begin>7000</begin>
+        <end>7999</end>
+      </port>
+    </rule>
+
+    <rule id='0003'>
+      <direction>inbound</direction>
+      <protocol>tcp</protocol>
+      <porttype>dst</porttype>
+      <port>
+        <begin>8001</begin>
+        <end>8041</end>
+      </port>
+    </rule>
+
+    <rule id='0004'>
+      <direction>inbound</direction>
+      <protocol>tcp</protocol>
+      <porttype>dst</porttype>
+      <port>
+        <begin>8046</begin>
+        <end>8079</end>
+      </port>
+    </rule>
+
+    <rule id='0005'>
+      <direction>inbound</direction>
+      <protocol>tcp</protocol>
+      <porttype>dst</porttype>
+      <port>
+        <begin>8081</begin>
+        <end>8099</end>
+      </port>
+    </rule>
+
+    <rule id='0006'>
+      <direction>inbound</direction>
+      <protocol>tcp</protocol>
+      <porttype>dst</porttype>
+      <port>
+        <begin>8101</begin>
+        <end>8181</end>
+      </port>
+    </rule>
+
+    <rule id='0007'>
+      <direction>inbound</direction>
+      <protocol>tcp</protocol>
+      <porttype>dst</porttype>
+      <port>
+        <begin>8183</begin>
+        <end>8199</end>
+      </port>
+    </rule>
+
+    <rule id='0008'>
+      <direction>inbound</direction>
+      <protocol>tcp</protocol>
+      <porttype>dst</porttype>
+      <port>
+        <begin>8201</begin>
+        <end>8299</end>
+      </port>
+    </rule>
+
+    <rule id='0009'>
+      <direction>inbound</direction>
+      <protocol>tcp</protocol>
+      <porttype>dst</porttype>
+      <port>
+        <begin>8303</begin>
+        <end>8888</end>
+      </port>
+    </rule>
+
+    <rule id='0010'>
+      <direction>inbound</direction>
+      <protocol>tcp</protocol>
+      <porttype>dst</porttype>
+      <port>
+        <begin>8890</begin>
+        <end>8999</end>
+      </port>
+    </rule>
+
+    <rule id='0011'>
+      <direction>inbound</direction>
+      <protocol>tcp</protocol>
+      <porttype>dst</porttype>
+      <port>
+        <begin>9001</begin>
+        <end>9079</end>
+      </port>
+    </rule>
+
+    <rule id='0012'>
+      <direction>inbound</direction>
+      <protocol>tcp</protocol>
+      <porttype>dst</porttype>
+      <port>
+        <begin>9081</begin>
+        <end>11999</end>
      </port>
    </rule>
-    <enabled>true</enabled>
-    <required>false</required>
  </service>
 </ConfigRoot>