VMware Cloud Community
Pinred
Contributor
Contributor
‎03-21-2009 10:39 AM
Jump to solution

ESX 3.5 - esxcfg-firewall new rules

Hi all,

I want to know if is possigble to do a new rule in the embedded firewall of ESX 3.5 to accept connection only from a specific IP address.

Example:

My ESX server have 6 ETH interface, and i want to do a rule that :

  • on interfece 1 accept connection only from 10.10.10.1 and deny all other IP that try to connect;

  • on interface 5,6 accept connection only from 192.168.1.2 and deny all other IP that try to connect;

Is this possible?

Can you help me?

Many Thanks

Reply
0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
‎03-23-2009 06:33 AM
Jump to solution

Hello,

Moved to Security and Compliance forum.

First, if those interfaces are connected to the service console then It is possible to do what you want but you need to know 'iptables' quite well in order to insert the rules as expect. If it is just a single IP then you could easily put in a 'deny' all using iptables. however that could prevent vCenter from connecting as well. So you really need to know what currently connects to ESX and determine how it connects. In my book I present an iptables script that does break things down for you in Chapter 4. Other options include adding the appropriate IPs to /etc/hosts.allow /etc/hosts.deny, implementing pam_access.so. What service are you trying to 'lock down?'

If those interfaces are NOT connected to the service console then NO, there is no way to use the service console firewall to protect those interfaces. There is in effect no per vSwitch firewall which is what you want to implement. In this case you are really looking to use products like VMC from Reflex Systems, Catbird's V-Security product, or a virtual FW between the external vSwitch and the VMs.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

Reply
0 Kudos
5 Replies
RParker
Immortal
Immortal
‎03-21-2009 11:16 PM
Jump to solution

I don't think you can do IP restriction on ESX virtual switch. You should be able to do this with your managed switches (Enterprise level).

Reply
0 Kudos
Pinred
Contributor
Contributor
‎03-22-2009 07:42 AM
Jump to solution

I have read that, I can define this type of rule via iptables.....

I want define the rules, not on virtual switch, but on phisical interfaces...

Reply
0 Kudos
Texiwill
Leadership
Leadership
‎03-23-2009 06:33 AM
Jump to solution

Hello,

Moved to Security and Compliance forum.

First, if those interfaces are connected to the service console then It is possible to do what you want but you need to know 'iptables' quite well in order to insert the rules as expect. If it is just a single IP then you could easily put in a 'deny' all using iptables. however that could prevent vCenter from connecting as well. So you really need to know what currently connects to ESX and determine how it connects. In my book I present an iptables script that does break things down for you in Chapter 4. Other options include adding the appropriate IPs to /etc/hosts.allow /etc/hosts.deny, implementing pam_access.so. What service are you trying to 'lock down?'

If those interfaces are NOT connected to the service console then NO, there is no way to use the service console firewall to protect those interfaces. There is in effect no per vSwitch firewall which is what you want to implement. In this case you are really looking to use products like VMC from Reflex Systems, Catbird's V-Security product, or a virtual FW between the external vSwitch and the VMs.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
Pinred
Contributor
Contributor
‎03-23-2009 09:23 AM
Jump to solution

OK..

If I put a fake Service Console on all virtual switch, i can do rules on all phisical interface??

Many Thanks

Reply
0 Kudos
Texiwill
Leadership
Leadership
‎03-24-2009 04:55 PM
Jump to solution

Hello,

No, the firewall ONLY pertains to the service console and not the vSwitch.....

pNIC <-> vSwitch <-> Portgroup <-> vNIC (SC vSwif) <-> IPTables

So in essence the firewall is ONLY within the SC and unrelated to the vSwitch, so it is NOT possible to do what you want. You really need to use a virtual firewall such as:

pNIC <-> vSwitchA <-> PortgroupA <-> vNICA (vFW) vNICB <-> PortgroupB <-> vSwitchB <-> VMs

So your virtual firewall fits between two vSwitches. You can NOT use the service console firewall to protect ANY vSwitch. It is in the wrong spot.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply