Opened 6 years ago
Closed 6 years ago
#17914 closed defect (wontfix)
[security] NAT VM bypasses host firewall
| Reported by: | tweevosha | Owned by: | |
|---|---|---|---|
| Component: | network/NAT | Version: | VirtualBox 5.2.16 |
| Keywords: | Cc: | ||
| Guest type: | all | Host type: | Linux |
Description
a NAT VM is able to completely bypass the host firewall and access services on blocked ports. for example, the guest can ping the host (even if host firewall blocks pings) and can access host web server (even if host firewall blocks access to web server). there may be a zillion other non-public host services which are accessible to the guest.
affects linux hosts running iptables-based firewall.
Change History (7)
comment:2 by , 6 years ago
"You have to configure your host firewall accordingly" -- short of blocking the host from accessing it's own services, is there a way to block NAT VMs from accessing those services?
comment:3 by , 6 years ago
You could start the VM using a different user account and add an iptables -m owner --uid-owner rule for that user ID, assuming you don't want to filter your main user's ID.
comment:4 by , 6 years ago
Draw the network diagram. Tell me at which point you see the guest not having access to the host's resources. Even worse (as you noticed), since the network traffic originates from within the host it won't oblige to firewall rules.
It's like having a browser accessing your localhost and expect the firewall to work. It won't, because it's not external traffic, it's "internal" traffic.
comment:5 by , 6 years ago
i understand the theory for how it could have access to the host, but i also understand that the documentation (Column "VM ↔ Host" Table 6.1. Overview https://www.virtualbox.org/manual/ch06.html) says that it doesn't; i also understand that 6.3. Network Address Translation (NAT) describes the setup as having a virtual router, which could theoretically block connections to the host IP -- in fact, this section describes how the virtual router is used to prevent guests from talking to each other because "this separation maximizes security" (indicating this can and should be done). it's worth noting that most would consider the security of the host machine even more important than the security of the guest machines.
i also understand that a traceroute from within the guest doesn't show the host IP as part of it's network path, so it's reasonable to make the assumption that connections initiated from the guest wouldn't be given access from behind the firewall, that they would instead go to the real physical router, which would either ignore the connection from host IP to host IP (preventing guest from accessing host), or would send it back to the host, in which way respecting the host firewall and allowing the guest access only to host resources which aren't blocked. it's certainly possible, with virtualbox being capable of knowing the host's gateway, to route all guest traffic through that gateway and not allow guest traffic to be routed internally to the host.
there are also some special reasons why there should be a firewall protecting the host, including that many/most people expect there to be some isolation between guest and host e.g. to protect the host, that guest machines are more likely to be behind on security patches (because they're not necessarily run or updated often and may not handle sensitive information but instead e.g. be used merely for testing), and more likely to run unverified code for testing or other reasons, and so the guest could more easily become compromised, and then compromise the host, and because allowing the guest to have internal, behind the firewall access to the host provides an incredible surface area and access to many services which were never meant to be available to other machines.
comment:6 by , 6 years ago
That table only states that there's no bidirectional network communication between the guest and the host, which is still true when the guest can access the host. The manual also states "Use proper means, for instance a firewall, to protect your computer and your guest(s) from accesses from the outside. Choosing the proper networking mode for VMs helps to separate host networking from the guest and vice versa." VirtualBox doesn't implement any firewall features. The firewalling effect for the clients behind a NAT is only a consequence of how NAT works.
comment:7 by , 6 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
We cannot foresee and support all potential network setups. "NAT" mode in VBox is more or less the same thing as in QEMU. It's not really a NAT even, more like automagic socks. Yes, the name is unfortunate, but there's history. It's convenient for trusted VMs and serves a very very common usage scenario.
If what it does is not what you want in your setup, you can use host-only and then configure host firewall to do necessary NAT'ing and filtering.
Inside the VirtualBox manual, you will read the following: "To an application on the host, or to another computer on the same network as the host, it looks like the data was sent by the VirtualBox application on the host, using an IP address belonging to the host." If you can ping the host IP from its own console, so can the guest, if you're using NAT. You have to configure your host firewall accordingly.