Manage the
ESXi
Firewall
ESXi
FirewallTo minimize the
risk of an attack through the management interface,
ESXi
includes a
firewall between the management interface and the network.
To ensure the integrity of
the host, only a small number of firewall ports are open by default. The
vSphere
Security
documentation explains how to set up firewalls for your
environment and which ports you might have to temporarily enable for certain
traffic.
You manage firewalls by setting up firewall rulesets.
The
vSphere Security
documentation explains how to perform these tasks by using the vSphere Client
. You can also use esxcli network
firewall
to manage firewall rulesets and to retrieve information about
them. Specify one of the options listed in Connection Options for ESXCLI Host Management Commands
in place of <conn_options>
. - Check firewall status and sshServer ruleset status.esxcli <conn_options> network firewall getDefault Action: DROP Enabled: true Loaded: trueesxcli <conn_options> network firewall ruleset list --ruleset-id sshServerName Enabled --------- ------- sshServer true
- Enable the sshServer ruleset if it is disabled.esxcli <conn_options> network firewall ruleset set --ruleset-id sshServer --enabled true
- Obtain access to theESXi Shelland check the status of theallowedAllflag.esxcli <conn_options> network firewall ruleset allowedip list --ruleset-id sshServerRuleset Allowed IP Addresses --------- -------------------- sshServer AllSeeGetting Started with ESXCLIfor information on accessing theESXi Shell.
- Set the status of theallowedAllflag tofalse.esxcli <conn_options> network firewall ruleset set --ruleset-id sshServer --allowed-all false
- Add the list of allowed IP addresses.esxcli <conn_options> network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 192.XXX.1.0/24 esxcli <conn_options> network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 192.XXX.10.10
- Check the allowed IP address list.esxcli <conn_options> network firewall ruleset allowedip list --ruleset-id sshServerRuleset Allowed IP Addresses --------- ----------------------------- sshServer 192.XXX.10.10, 192.XXX.1.0/24