anothervsphereu
Enthusiast
Enthusiast

ESXi firewall - NFC

I am trying to harden my ESXi hosts using the ESXi firewall rules.   I am having issues with the NFC rule.  I believe I have identified everything that needs to communicate using this rule.  It is a long list that includes network ranges and individual IPs.  When I add the IPs on a 6.x host, the process completes successfully.  But on 7.x hosts, i get this error.  Rule is enabled and set to allow all.

anothervsphereu_0-1648739742228.png

I did find that if I add the in parts, say add the first 1/3, click ok,   add the second 1/3, click ok, add the last 1/3,click ok. I don't get the error.  Does ESXi have a limitation on the number of ip restrictions that can be added at a time?

Perhaps I have included items in the that I dont need.  Along with mgmt subnets, I also have about 70 standalone hosts, and have added each of their IPs, SRM server IPs, etc.

 

0 Kudos
5 Replies
Tibmeister
Expert
Expert

Just enable Lockdown mode and save yourself a lot of headaches.

0 Kudos
anothervsphereu
Enthusiast
Enthusiast

How would lockdown mode help me in this case?

0 Kudos
Tibmeister
Expert
Expert

In this case, nothing.  If you back out all the changes you've done and enable lockdown mode, it will achieve what you were after originally.

0 Kudos
anothervsphereu
Enthusiast
Enthusiast

What does lockdown mode do specifically related to the NFC firewall rule?

0 Kudos
Tibmeister
Expert
Expert

You're honestly overthinking it and getting way further into the weeds than needed.  You will chase this issue with every update and will end up pulling out your hair. 

Lockdown mode is fully DoD compliant, anything more than that and you are going to go mad. 

If you really want to lock down further than what Lockdown mode does, then put the management interfaces on a separate network behind a big firewall and setup a ton of ACLs.

0 Kudos