ESXi firewall

Using esxcli network firewall for ESXi Firewall Management
To minimize the risk of an attack through the management interface, ESXi includes a firewall between the management interface and the network. To ensure the integrity of the host, only a small number of firewall ports are open by default. The vSphere Security documentation explains how to set up firewalls for your environment and which ports you might have to temporarily enable for certain traffic.
You manage firewalls by setting up firewall rulesets. vSphere Security documentation explains how to perform these tasks with the vSphere Client. You can also use esxcli network firewall to manage firewall rulesets and to retrieve information about them. Specify one of the options listed in Connection Options in place of <conn_options>.
To limit shell access
1
Check firewall status and sshServer ruleset status.
esxcli <conn_options> network firewall get
Default Action: DROP
Enabled: true
Loaded: true
esxcli <conn_options> network firewall ruleset list --ruleset-id sshServer
Name Enabled
--------- -------
sshServer     true
2
Enable the sshServer ruleset if it is disabled.
esxcli <conn_options> network firewall ruleset set --ruleset-id sshServer --enabled true
3
Obtain access to the ESXi Shell and check the status of the allowedAll flag.
esxcli <conn_options> network firewall ruleset allowedip list --ruleset-id sshServer
Ruleset Allowed IP Addresses
--------- --------------------
sshServer All
See Getting Started with vSphere Command-Line Interfaces for information on accessing the ESXi Shell.
4
Set the status of the allowedAll flag to false.
esxcli <conn_options> network firewall ruleset set --ruleset-id sshServer --allowed-all false
5
Add the list of allowed IP addresses.
esxcli <conn_options> network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 192.XXX.1.0/24
esxcli <conn_options> network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 192.XXX.10.10
6
Check the allowed IP address list.
esxcli <conn_options> network firewall ruleset allowedip list --ruleset-id sshServer
Ruleset Allowed IP Addresses
--------- -----------------------------
  • 51 Корисниците го најдоа ова како корисно
Дали Ви помогна овој одговор?