Tuesday 13 December 2016

About the ESXi 5.x and 6.x firewall


Purpose

This article provides information about the Firewall feature introduced in VMware vSphere ESXi 5.0 and later, which provides a new access control capability for ESXi.

Resolution

These are important points about the ESXi 5.x firewall:
  • ESXi 5.0 has a new firewall engine that is not based on iptables.
  • The firewall is enabled by default and allows Internet Control Message Protocol (ICMP) pings and communication with DHCP and DNS (UDP only) clients.
  • The UI for configuring the firewall on ESXi 5.x and 6.x is similar to that used to configure the ESX firewall.
  • The firewall is service oriented.
  • You have the ability to restrict access to specific services based on IP address/Subnet Mask.
  • There is Host Profile support for the ESXi 5.x and 6.x firewall.
  • If you upgrade from ESX to ESXi 5.x, firewall settings are preserved.
A new esxcli interface named esxcfg-firewall is available in ESXi 5.x. This table summarizes the commands available in this interface:
 
Command Description
esxcli network firewall get Returns the enabled or disabled status of the firewall and lists default actions.
esxcli network firewall set --default-action Update default actions.
esxcli network firewall set --enabled Set to true to enable the firewall, set to false to disable the firewall.
esxcli network firewall load Load the firewall module and rule set configuration files.
esxcli network firewall refresh Refresh the firewall configuration by reading the rule set files if the firewall module is loaded.
esxcli network firewall unload Destroy filters and unload the firewall module.
esxcli network firewall ruleset list List rule sets information.
esxcli network firewall ruleset set --allowedall Set the allowedall flag.
esxcli network firewall ruleset set --enabled Enable or disable the specified rule set.
esxcli network firewall ruleset allowedip list List the allowed IP addresses of the specified rule set.
esxcli network firewall ruleset allowedip add Allow access to the rule set from the specified IP address or range of IP addresses.
esxcli network firewall ruleset allowedip remove Remove access to the rule set from the specified IP address or range of IP addresses.

For example:

To enable the sshClient firewall ruleset:

esxcli network firewall ruleset set --enabled false --ruleset-id=sshClient

Additional Information

For more information about the ESXi 5.0 firewall, see the vSphere Security Guide.

The firewall remains loaded, even when disabled. For example:

Firewall enabled:

# esxcli network firewall set --enabled true
# esxcli network firewall get
Default Action: DROP
Enabled: true
Loaded: true

Firewall disabled:

# esxcli network firewall set --enabled false
# esxcli network firewall get
Default Action: DROP
Enabled: false
Loaded: true
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)