VMware Cloud Community
kenw232
Enthusiast
Enthusiast
‎05-18-2010 11:14 AM

dazed and confused - esxcfg-firewall

I'm running ESX4. So when I do an "esxcfg-firewall --ipruleAdd 207.11.10.5,0:65535,tcp,ACCEPT,"allowme"" (or whatever ) that new entry will stick across reboots? I see I do not have to do that command again after I reboot the server. Can someone confirm this is expected behaviour?

Also, whats with the rule order? Can I specify a rule order? So I have my ESX4 server online. Anyone can connect so thats bad. So I do a:

esxcfg-firewall --ipruleAdd 0.0.0.0/0,0:65535,tcp,REJECT,"block_all"

esxcfg-firewall --ipruleAdd 207.11.10.5,0:65535,tcp,ACCEPT,"allowme"

This blocks everyone from connecting except me at 207.11.10.5. this works.

BUT if I continue to add other random IP addres:

esxcfg-firewall --ipruleAdd 57.99.10.85,0:65535,tcp,ACCEPT,"allowme2"

esxcfg-firewall --ipruleAdd 87.32.13.4,0:65535,tcp,ACCEPT,"allowme3"

all of a sudden esxcfg-firewall will start to add them BEFORE the block_all from above making them ineffective and not work. This is a random thing too (after about 5 new ones), I can't pin it down. When I say "BEFORE" I mean if you do a "esxcfg-firewall -q" and they will list at the bottom of the output. the block_all has to be the first one listed from what I can see.

Anyone know how to get this to work sanely?

Reply
0 Kudos
1 Reply
Texiwill
Leadership
Leadership
‎05-19-2010 09:01 AM

Hello,

They may be using an insert, I am not sure. Try adding the block_all LAST.

Also, if you really want distinct control you may want to setup a separate iptables based command that runs within /etc/rc.d/rc.local so that on boot it is handled properly.

This secondary firewall mechanism will give you a finer grain of control on where your rules will live. I prefer this mechanism over any other.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos