VMware Cloud Community
lElOUCHE_79
Enthusiast
Enthusiast
‎11-26-2020 05:00 AM
Jump to solution

NTP Firewall Set

I created the below script in order to allow only IP by service, I'm not sure if it's the right way or No but I would like to discuss this and get the best option for the same

 

$vmhosts = Get-VMHost -Location MyCluster
foreach($vmhost in $vmhosts){
$esxcli=get-esxcli -vmhost $vmhost -V2
$ntpRuleSet = $esxcli.network.firewall.ruleset.set.CreateArgs()
$ntpRuleSet.allowedall="false"
$ntpRuleSet.rulesetid="ntpClient"
$esxcli.network.firewall.ruleset.set.Invoke($ntpRuleSet)
$ntpAllowIP = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs()
$ntpAllowIP.rulesetid="ntpClient"
$ntpAllowIP.ipaddress="192.168.0.1"
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP)
$ntpAllowIP.ipaddress="192.168.0.2"
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP)
}

any comments are welcome 🙂

0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
‎11-26-2020 05:36 AM
Jump to solution

To enable/disable a FW rule you could also use the Set-VMHostFirewallException cmdlet.
But for adding IP addresses you would still need to use the Get-EsxCli.

In your case, using the Get-EsxCli for everything is the more obvious choice.

There is no single right way to do things in PowerCLI, if the script does what you want it to do it is a good script.

Personally, I would make use of the pipeline, the PipelineVariable parameter, avoid the foreach statement, and suppress the Boolean values that are returned (since you don't use them).
Something like this

Get-Cluster -Name MyCluster |
Get-VMHost -PipelineVariable vmhost |
ForEach-Object -Process {
    $esxcli = Get-EsxCli -VMHost $vmhost -V2
    $ntpRuleSet = $esxcli.network.firewall.ruleset.set.CreateArgs()
    $ntpRuleSet.allowedall = "false"
    $ntpRuleSet.rulesetid = "ntpClient"
    $esxcli.network.firewall.ruleset.set.Invoke($ntpRuleSet) | Out-Null
    $ntpAllowIP = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs()
    $ntpAllowIP.rulesetid = "ntpClient"
    $ntpAllowIP.ipaddress = "192.168.0.1"
    $esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP) | Out-Null
    $ntpAllowIP.ipaddress = "192.168.0.2"
    $esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP) | Out-Null
}

 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

4 Replies
LucD
Leadership
Leadership
‎11-26-2020 05:25 AM
Jump to solution

Post moved to the VMware PowerCLI Discussions.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
LucD
Leadership
Leadership
‎11-26-2020 05:36 AM
Jump to solution

To enable/disable a FW rule you could also use the Set-VMHostFirewallException cmdlet.
But for adding IP addresses you would still need to use the Get-EsxCli.

In your case, using the Get-EsxCli for everything is the more obvious choice.

There is no single right way to do things in PowerCLI, if the script does what you want it to do it is a good script.

Personally, I would make use of the pipeline, the PipelineVariable parameter, avoid the foreach statement, and suppress the Boolean values that are returned (since you don't use them).
Something like this

Get-Cluster -Name MyCluster |
Get-VMHost -PipelineVariable vmhost |
ForEach-Object -Process {
    $esxcli = Get-EsxCli -VMHost $vmhost -V2
    $ntpRuleSet = $esxcli.network.firewall.ruleset.set.CreateArgs()
    $ntpRuleSet.allowedall = "false"
    $ntpRuleSet.rulesetid = "ntpClient"
    $esxcli.network.firewall.ruleset.set.Invoke($ntpRuleSet) | Out-Null
    $ntpAllowIP = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs()
    $ntpAllowIP.rulesetid = "ntpClient"
    $ntpAllowIP.ipaddress = "192.168.0.1"
    $esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP) | Out-Null
    $ntpAllowIP.ipaddress = "192.168.0.2"
    $esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP) | Out-Null
}

 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

lElOUCHE_79
Enthusiast
Enthusiast
‎11-27-2020 01:00 AM
Jump to solution

thank you for your help and clarification.

for the 2 last lines in the script is there a way to change it in one line

Like this 

$ntpAllowIP.ipaddress = "ntp1","ntp2"
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP) | Out-Null

 

by the way this way will be used also for other services like SSH NFS where the Allowed IP should be not "All IP"

0 Kudos
LucD
Leadership
Leadership
‎11-27-2020 02:08 AM
Jump to solution

Afaik that is a limitation of the esxcli command itself.
It allows a single IP address (192.168.0.1) or a range (192.168.0.0/24), not an array of IP addresses.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference