I've spent most of today looking for information on the "esxcfg-firwall --ipruleAdd" command. I want to restrict SSH access to only 2 subnets (let's say 192.168.123.0/24 and 192.168.134.0/24). IP rules looks like it should be able to do it but I've not figured out the right combination of rules.
This is what I've tried (and the man page for esxcfg-firewall made it sound like it should work...)
esxcfg-firewall --ipruleAdd 0.0.0.0/0,22,tcp,REJECT,"Block_SSH"
esxcfg-firewall --ipruleAdd 192.168.123.0/24,22,tcp,ACCEPT,"Allow_123_SSH"
esxcfg-firewall --ipruleAdd 192.168.134.0/24,22,tcp,ACCEPT,"Allow_134_SSH"
My ressoning was that since SSH is open to the world to start I would deny all and then allow the two subnets I wanted. What actaully happened is the black worked and the allows didn't.
This is the example from the man page I based these rules on
To allow only one host access specified port of COS
esxcfg-firewall --ipruleAdd 0.0.0.0/0,902,tcp,REJECT,"block_902"
esxcfg-firewall --ipruleAdd 192.168.1.1,902,tcp,ACCEPT,"allow_one"
Any help you can give would be awesome. Thanks all.
