ESXi hosts have an inbuilt firewall setting between the management interface and the rest of the network. The firewall is configured to drop all incoming and outgoing traffic but for a specific set of services in ESXi Host.In order to secure ESXi host by allowing only certain IP addresses or IP ranges after a fresh installation of ESXi, you can use the ESXi vSphere client, vCenter or vSphere ESXi CLI to configure the firewall settings.
Manage ESXi firewall Using vSphere client
It is an easy way to configure the firewall settings using a vSphere client or ESXi vCenter GUI.
- Login your vSpere client
- Click ESXi host
- Go to Configuration
- Click Security Profile under Software – You can see the services list and firewall
- Click Properties on Firewall Section
- Select your service and click firewall
- Update your IP address or IP range to allow traffic for your particular service.
Manage ESXi firewall Using ESXi CLI
Login your ESXi host.
Use the following command to manage your Firewall settings.
| esxcli network firewall get | – Returns the enabled or disabled status of the firewall and lists default actions. |
| esxcli network firewall set –default-action | – Update default actions. |
| esxcli network firewall set –enabled | – Enable or disable the ESXi firewall. |
| esxcli network firewall load | – Load the firewall module and rule set configuration files. |
| esxcli network firewall refresh | – Refresh the firewall configuration by reading the rule set files if the firewall module is loaded. |
| esxcli network firewall unload | – Destroy filters and unload the firewall module. |
| esxcli network firewall ruleset list | – List rule sets information. |
| esxcli network firewall ruleset set –allowed-all | – Set the allowed all flag. |
| esxcli network firewall ruleset set –enabled | – Enable or disable the specified rule set. |
| esxcli network firewall ruleset allowedip list | – List the allowed IP addresses of the specified rule set. |
| esxcli network firewall ruleset allowedip add | – Allow access to the rule set from the specified IP address or range of IP addresses. |
| esxcli network firewall ruleset allowedip remove | – Remove access to the rule set from the specified IP address or range of IP addresses. |
ESXi CLI Command Examples
Display the firewall status
[root@localhost:~] esxcli network firewall get Default Action: DROP Enabled: true Loaded: true
Specify specific IP Address or IP ranges to access a particular service. The following example disable the allow all option and specifies a particular range for the sshServer service.
[root@localhost:~] esxcli network firewall ruleset set --allowed-all false --ruleset-id=sshServer [root@localhost:~] esxcli network firewall ruleset allowedip add --ip-address=192.168.0.0/24 --ruleset-id=sshServer
or
[root@localhost:~] esxcli network firewall ruleset allowedip add -i=192.168.0.0/24 -r=sshServer
To remove specified IP address
[root@localhost:~] esxcli network firewall ruleset allowedip remove --ip-address=192.168.0.0/24 -r=sshServer
List rules associated with a particular service’s ruleset
[root@localhost:~] esxcli network firewall ruleset rule list | grep sshServer sshServer Inbound TCP Dst 22 22
or
[root@localhost:~] esxcli network firewall ruleset rule list -r "sshServer" sshServer Inbound TCP Dst 22 22
If you want to check all allowed IP address for all the services. Use below command.
[root@localhost:~] esxcli network firewall ruleset allowedip listRuleset Allowed IP Addresses ------------------------------------------------sshServer 192.168.0.0/24, 10.1.0.14, 172.0.0.2 Ruleset Allowed IP Addresses sshServer 192.168.0.0/24, 10.1.0.14, 172.0.0.2 sshClient All nfsClient All
List all the rulesets for which the allowedip list has been enabled
[root@localhost:~] esxcli network firewall ruleset allowedip list | grep -v "All"
List the default firewall rules
[root@localhost:~] esxcli network firewall ruleset list Name Enabled ------------------------ ------- sshServer true sshClient true nfsClient false nfs41Client false dhcp true dns true snmp true ntpClient false CIMHttpServer true CIMHttpsServer true CIMSLP true iSCSI true vpxHeartbeats true
Related Posts:
