Advanced Security Features (CLI)

Advanced Security Feature for the Anka CLI (enterprise or higher license required).
These features require a Enterprise or Enterprise Plus license.

VM Networking

> anka modify 14.3.1-arm64 network --help
usage: network [options]

   Modify network card settings

options:
  -t,--mode <val>          network mode: shared/host/bridge/disconnected
  -b,--bridge <val>        host interface name to bridge with in the bridge mode, or "auto"
  -m,--mac <val>           specify fixed MAC address, or "auto"
  -v,--vlan <val>          assign VLAN ID, 0 to deassign
  -c,--controller <val>    set controller: anet, virtio-net
  -f,--filter <val>        filtering rules file to inject on VM start, or embed in VM config (with '-f- < rules.txt'), or use 'off' to disable

Block VM to VM and VM to Host communication

You may wish to disable the ability for VMs or VMs and the Host to communicate. This can be done with --no-local under modify {VM} network.

IP Filtering Rules

Starting in Anka 3.3, users can use a VM/Template specific network traffic filtering which mimicks the behavior of ipf.conf.

This is only available for shared networking.

Filter rules are checked in descending order, with the first matching rule determining the treatment of the packet. For example, the following rules will block any traffic and ignore all other rules:

block any
pass out from all

Examples of rules you can set on a VM:

block out to 1.1.1.1 from any
block out to 1.1.1.1 port 53
block in to port 22
block out from port 68 to port 67
block in from any port 67 to any port 68
block any from port 67 to port 68
block any
block local

You can apply rules in several ways:

  1. Globally for all VMs that run on the host by setting the path to the rules file: anka config net_filter /Users/myUser/vm-filter-rules. This will be ignored if the VM Template has filter rules applied already.

  2. With a dynamic file from the host, set in the specific VM template, which is then applied at VM start time. This allows you to create rules specific to a VM + Host.

    ❯ cd ~; cat << EOF > ./rules
pass in from 10.20.30.40
pass out to 10.20.30.40
block any
EOF

❯ anka modify 13.3.1 network --filter rules

❯ anka show 13.3.1 network -f                                                                            
pass in from 10.20.30.40
pass out to 10.20.30.40
block any

❯ cat ~/Library/Application\ Support/Veertu/Anka/vm_lib/c12ccfa5-8757-411e-9505-128190e9854e/config.yaml | grep net
network_cards:
  controller: virtio-net
  net_filter: /Users/nathanpierce/rules

  3. Embedding the rules inside of the VM’s config, but not require a file on the host. This is useful to avoid having to ensure the rules file exists on each host.

    ❯ cd ~; cat << EOF > ./rules
block in from any port 22
block local
EOF

❯ anka modify 13.3.1 network -f- < rules

❯ anka show 13.3.1 network -f           
block in from any port 22
block local

❯ cat ~/Library/Application\ Support/Veertu/Anka/vm_lib/c12ccfa5-8757-411e-9505-128190e9854e/net_filter 
block in from any port 22
block local%

  4. You can also apply a single rule using echo "block any" | anka modify 13.3.1 network -f-.

Applying new rules will remove all previously set.
You can disable the rules with anka modify 13.3.1 network --filter off.