Advanced Security Features (CLI)
These features require a Enterprise or Enterprise Plus license.
VM Networking
> anka modify 14.2.1 network --help
usage: network [options]
Modify network card settings
options:
-t,--mode <val> network mode: shared/host/bridge/disconnected
-b,--bridge <val> host interface name to bridge with in the bridge mode, or "auto"
-m,--mac <val> specify fixed MAC address, or "auto"
-v,--vlan <val> assign VLAN ID, 0 to deassign
-c,--controller <val> set controller: anet, virtio-net
-f,--filter <val> filtering rules file to inject on VM start, or embed in VM config (with '-f- < rules.txt'), or use 'off' to disable
Block VM to VM and VM to Host communication
You may wish to disable the ability for VMs or VMs and the Host to communicate. This can be done with --no-local
under modify {VM} network
.
IP Filtering Rules
Starting in Anka 3.3, users can use a VM/Template specific network traffic filtering which mimicks the behavior of ipf.conf.
Filter rules are checked in descending order, with the first matching rule determining the treatment of the packet. For example, the following rules will
block any
traffic and ignore all other rules:block any pass out from all
Examples of rules you can set on a VM:
block out to 1.1.1.1 from any
block out to 1.1.1.1 port 53
block in to port 22
block out from port 68 to port 67
block in from any port 67 to any port 68
block any from port 67 to port 68
block any
block local
You can apply rules in several ways:
Globally for all VMs that run on the host by setting the path to the rules file:
anka config net_filter /Users/myUser/vm-filter-rules
. This will be ignored if the VM Template has filter rules applied already.With a dynamic file from the host, set in the specific VM template, which is then applied at VM start time. This allows you to create rules specific to a VM + Host.
❯ cd ~; cat << EOF > ./rules pass in from 10.20.30.40 pass out to 10.20.30.40 block any EOF ❯ anka modify 13.3.1 network --filter rules ❯ anka show 13.3.1 network -f pass in from 10.20.30.40 pass out to 10.20.30.40 block any ❯ cat ~/Library/Application\ Support/Veertu/Anka/vm_lib/c12ccfa5-8757-411e-9505-128190e9854e/config.yaml | grep net network_cards: controller: virtio-net net_filter: /Users/nathanpierce/rules
Embedding the rules inside of the VM’s config, but not require a file on the host. This is useful to avoid having to ensure the rules file exists on each host.
❯ cd ~; cat << EOF > ./rules block in from any port 22 block local EOF ❯ anka modify 13.3.1 network -f- < rules ❯ anka show 13.3.1 network -f block in from any port 22 block local ❯ cat ~/Library/Application\ Support/Veertu/Anka/vm_lib/c12ccfa5-8757-411e-9505-128190e9854e/net_filter block in from any port 22 block local%
You can also apply a single rule using
echo "block any" | anka modify 13.3.1 network -f-
.
Applying new rules will remove all previously set.
You can disable the rules with anka modify 13.3.1 network --filter off
.