mymario99
Contributor
Contributor

What is VMware's recommendation on direction for firewall rules?

I became a bit unsure about the usage of the direction feature of nsx firewall rules lately.

In the official documentation "VMware does not recommend specifying the direction for firewall rules." in the section about Edge firewall.

As EDGEs itself are out-of-scope for the DFW and have no clear internal and external interface, the recommendation above makes kind of sense to me.


But on the NSX DFW the direction feature seems to me extremely important and it is a shame that the direction column is disabled by default in the NSX-v GUI.

The current default direction of a firewall rule is in/out (flow allowed in both directions) is very misleading for a firewall admin coming from the non-NSX world and often results in mis-configuration making the system vulnerable.


What is your opinion and experience with firewall rule directions?

0 Kudos
2 Replies
larsonm
VMware Employee
VMware Employee

When thinking about the DFW, remember that direction is from the perspective of the individual vNIC on the VM in question.

Why do you feel that the in/out direction is misleading?

0 Kudos
mymario99
Contributor
Contributor

I use misleading because mis-configuration can easily done.

Example:

rule 1 : VM1 -> VM2 allow

rule 2 : VM2 -> any allow

rule 3 : any -> any block

When the intention of the rule 2 was to allow outgoing traffic

it would also allow the VM2 to connect to VM1 when the direction flag is not used.

In my opinion the the direction should be a must-field with an empty default to always make the admin to explicitly choose the direction.

0 Kudos