ESXi Firewall – How to secure ESXi host by allowing only certain IP adresses or IP ranges.

After a fresh installation of ESXi, the host’s firewall isn’t configured with the best possible security for your environment. You usually adapt it for your own environment in order to secure those ESXi servers even more.

ESXi firewall is a full blown firewall which is built-in. It sits between the management interface and the network. At installation time, the ESXi firewall is configured to block incoming and outgoing traffic, except traffic for the default services. Those services, like DNS, DHCP, 8O…. You can find all the default open ports in the Online user guide here: TCP and UDP Ports for Management Access.

New video on VMware Techpubs will teach you on how to add an IP address (or range) to the list of allowed IP adresses which can access the server’s host services. You’ll see that it can be easily done through the vSphere client, but also it can be done remotely via the CLI.

Through the vSphere client it’s a two or three click process.

ESXi Firewall – How to Add allowed IP adresses into ESXi Firewall through the vSphere client:

01. Select your ESXi host and click the Configuration TAB
02. Click on the firewall properties and select the service in the firewall properties
03. Click the firewall button, and in the dialog box, enter the IP adress or range IP adresses. Separated by the coma. (Note: you can also enter IP addresses in IP v6 format.

ESXi Firewall

By default the ESXi Firewall is enabled.

There is also a way to configure the firewall rules, and adding an allowed IP address (s) to the ESXi Firewall, through the command line.

ESXi Firewall – How to Add Allowed IP addresses through the CLI:

Step 0: To list the rule sets information already configured:  esxcli network firewall ruleset list

Step 1: To set a ruleset to false(true): esxcli network firewall ruleset set-a=false -r=fdm

Adding Allowed IP Addresses to the ESXi Firewall

Step 2: Add the IP address as an allowed IP address, to the ruleset.

esxcli network firewall ruleset allowedip add -i=10.10.7.20 -r=fdm

Adding Allowed IP Addresses to the ESXi Firewall

ESXi Firewall Commands:

esxcli network firewall get     – Returns the enabled or disabled status of the ESXi firewall and lists default actions.

esxcli network firewall set –defaultaction     – Update default actions.

esxcli network firewall set –enabled     -Enable or disable the ESXi firewall.

esxcli network firewall load     -Load the ESXi firewall module and rule set configuration files.

esxcli network firewall refresh     -Refresh the ESXi firewall configuration by reading the rule set files if the firewall module is loaded.

esxcli network firewall unload     -Destroy filters and unload the firewall module.

esxcli network firewall ruleset list     -List rule sets information from the ESXi Firewall.

esxcli network firewall ruleset set –allowedall     -Set the allowedall flag.

esxcli network firewall ruleset set –enabled     -Enable or disable the specified rule set on the ESXi Firewall.

esxcli network firewall ruleset allowedip list     -List the allowed IP addresses of the specified rule set.

esxcli network firewall ruleset allowedip add     -Allow access to the rule set from the specified IP address or range of IP addresses.

esxcli network firewall ruleset allowedip remove     -Remove access to the rule set from the specified IP address or range of IP addresses.

Interesting PDF: Secure ESXi host –  http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf

Source: vladan.fr

Advertisements