StephenMoll
Expert
Expert

ESXi Firewall - Allowed IP Addresses - Max size of IP List

Jump to solution

We need to add firewall rules to our ESXi servers to only allow connections from IP addresses in a list.

We are finding on some cases we cannot add all the addresses we want. Is there a limit to the number of entries in the list?

If so where is this documented?

Can the limit be changed?

Labels (3)
0 Kudos
1 Solution

Accepted Solutions
StephenMoll
Expert
Expert

We have been investigating this and according to VMware, the limit is 128 and it cannot be changed.

View solution in original post

0 Kudos
5 Replies
StephenMoll
Expert
Expert

We have been investigating this and according to VMware, the limit is 128 and it cannot be changed.

0 Kudos
depping
Leadership
Leadership

it is not very common for customers to have more than 128 IPs to connect to ESXi directly to be honest. I never encountered it.

0 Kudos
StephenMoll
Expert
Expert

We are not a 'usual' customer as you're possibly already aware (Frank is). So, you have now! Our first attempt was to add over 300 addresses! LOL! Only by being very selective can we get the list down to around 100 entries, which has two problems:

1.  We are not sure the list will be complete enough.

2.  There is no room for expansion.

We have quite strict requirements to meet in many areas that give us challenges all the time. This is just another one of those.

What is a little disappointing is that this information is not included anywhere in the documentation that covers this topic. All of the guides and material we looked at, even those that described how to populate the list, gave no hints that there was a limit at all, let alone what it actually was. 

In finding out that the limit is fixed at 128, we assume came back to the warning in the vSphere Security Guidance (formerly Hardening Guide) which for the "ESXi.firewall-restrict-access" guideline says the firewall should be used to restrict access to services on the host, and further warns that using the firewall beyond protecting access to SSH and web access can affect system performance.

Our thoughts are that this implies that the firewall is very simplistic and that it has to search the allow list for the source-IP of every packet received, meaning increase latency for packets coming from nodes far down the list, and that 128 might be a practical limit where these searches start becoming unacceptably long. Would that be right?

Thanks for the response though.

 

Whilst I have your attention...

Would I be right in saying that the firewall acts on all traffic inbound and outbound from all VMKernel adapters? 

So it would also affect iSCSI storage traffic?

 

 

0 Kudos
sramanuja
VMware Employee
VMware Employee

I think it would be better to understand your use case and propose a solution which may better suit your needs. It would be best if you can talk to your TAM to schedule some time with the networking Product Management team to talk through this.

0 Kudos
StephenMoll
Expert
Expert

That’s already happening. I do find airing things here sometimes gathers other useful insights.

0 Kudos