We need to add firewall rules to our ESXi servers to only allow connections from IP addresses in a list.
We are finding on some cases we cannot add all the addresses we want. Is there a limit to the number of entries in the list?
If so where is this documented?
Can the limit be changed?
We are not a 'usual' customer as you're possibly already aware (Frank is). So, you have now! Our first attempt was to add over 300 addresses! LOL! Only by being very selective can we get the list down to around 100 entries, which has two problems:
1. We are not sure the list will be complete enough.
2. There is no room for expansion.
We have quite strict requirements to meet in many areas that give us challenges all the time. This is just another one of those.
What is a little disappointing is that this information is not included anywhere in the documentation that covers this topic. All of the guides and material we looked at, even those that described how to populate the list, gave no hints that there was a limit at all, let alone what it actually was.
In finding out that the limit is fixed at 128, we assume came back to the warning in the vSphere Security Guidance (formerly Hardening Guide) which for the "ESXi.firewall-restrict-access" guideline says the firewall should be used to restrict access to services on the host, and further warns that using the firewall beyond protecting access to SSH and web access can affect system performance.
Our thoughts are that this implies that the firewall is very simplistic and that it has to search the allow list for the source-IP of every packet received, meaning increase latency for packets coming from nodes far down the list, and that 128 might be a practical limit where these searches start becoming unacceptably long. Would that be right?
Thanks for the response though.
Whilst I have your attention...
Would I be right in saying that the firewall acts on all traffic inbound and outbound from all VMKernel adapters?
So it would also affect iSCSI storage traffic?
I think it would be better to understand your use case and propose a solution which may better suit your needs. It would be best if you can talk to your TAM to schedule some time with the networking Product Management team to talk through this.