I could not find a way to specify source or destination ip for esxcfg-firewall and some other features available in iptables. I also have some well designed iptables template to use.
So can I disable it by using "chkconfig firewall off" and enable iptables instead?
Any pros and cons?
Thanks!
Hello,
Actually it is possible to use your own iptables firewall options with ESX's iptables firewall tools. For example, I add in host based rules by editing the rules after ESX sets up its firewall. This way I get my host based lockdowns and all of ESXs basic rules (which are actually very good).
You have to know iptables very well to do this however and you need to add something to /etc/rc.d/rc.local to call your script and put a wrapper around esxcfg-firewall.
I personally use the above method as I really do like the way ESX handles things currently and my small changes for host lockdowns are only for those items /etc/hosts.allow and /etc/hosts.deny (tcpwrappers) does not cover.
Best regards,
Edward
Here's a good ESX firewall guide...
Esxcfg-firewall - http://download3.vmware.com/vmworld/2006/labs2006/vmworld.06.lab05-SECURITY-MANUAL-APPENDIX.pdf
Fyi if you find this post helpful, please award points using the Helpful/Correct buttons.
-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-
Thanks, Eric
Visit my website: http://vmware-land.com
-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-
Hi,
the firewall of ESX 3 is based on the iptables.
Gert
Hello,
Actually it is possible to use your own iptables firewall options with ESX's iptables firewall tools. For example, I add in host based rules by editing the rules after ESX sets up its firewall. This way I get my host based lockdowns and all of ESXs basic rules (which are actually very good).
You have to know iptables very well to do this however and you need to add something to /etc/rc.d/rc.local to call your script and put a wrapper around esxcfg-firewall.
I personally use the above method as I really do like the way ESX handles things currently and my small changes for host lockdowns are only for those items /etc/hosts.allow and /etc/hosts.deny (tcpwrappers) does not cover.
Best regards,
Edward
Thank you guys! I finally decide to go with iptables. So far so good.
What i did:
#cp my-iptables-template /etc/sysconfig/iptables
chkconfig firewall off
chkconfig iptables --level 2345 on
service firewall stop
service iptables start
When the ESX server reboot, it will load iptables from init scripts automatically
The only problem I see so far is if you have a HA cluster, and an HA agent need to be disabled and enabled on a ESX host. The ESX firewall will be started during this process. it will flush your own iptables rules. I have to manually do the service firewall stop and service iptables start to get my rules back.
Eric,
Your link is no longer active. could you please Email me another copy of the link?
Thank You,
Greg
feingogm@bettis.gov
Eric,
As rightly said by Greg, the link is no longer active.
Can you also please email me the file or another copy of the link?
Thanks,
Archie
agcastle2000@yahoo.com