Contributor
Contributor

NTP Firewall Set

Jump to solution

I created the below script in order to allow only IP by service, I'm not sure if it's the right way or No but I would like to discuss this and get the best option for the same

 

$vmhosts = Get-VMHost -Location MyCluster
foreach($vmhost in $vmhosts){
$esxcli=get-esxcli -vmhost $vmhost -V2
$ntpRuleSet = $esxcli.network.firewall.ruleset.set.CreateArgs()
$ntpRuleSet.allowedall="false"
$ntpRuleSet.rulesetid="ntpClient"
$esxcli.network.firewall.ruleset.set.Invoke($ntpRuleSet)
$ntpAllowIP = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs()
$ntpAllowIP.rulesetid="ntpClient"
$ntpAllowIP.ipaddress="192.168.0.1"
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP)
$ntpAllowIP.ipaddress="192.168.0.2"
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP)
}

any comments are welcome 🙂

0 Kudos
1 Solution

Accepted Solutions
Leadership
Leadership

To enable/disable a FW rule you could also use the Set-VMHostFirewallException cmdlet.
But for adding IP addresses you would still need to use the Get-EsxCli.

In your case, using the Get-EsxCli for everything is the more obvious choice.

There is no single right way to do things in PowerCLI, if the script does what you want it to do it is a good script.

Personally, I would make use of the pipeline, the PipelineVariable parameter, avoid the foreach statement, and suppress the Boolean values that are returned (since you don't use them).
Something like this

Get-Cluster -Name MyCluster |
Get-VMHost -PipelineVariable vmhost |
ForEach-Object -Process {
    $esxcli = Get-EsxCli -VMHost $vmhost -V2
    $ntpRuleSet = $esxcli.network.firewall.ruleset.set.CreateArgs()
    $ntpRuleSet.allowedall = "false"
    $ntpRuleSet.rulesetid = "ntpClient"
    $esxcli.network.firewall.ruleset.set.Invoke($ntpRuleSet) | Out-Null
    $ntpAllowIP = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs()
    $ntpAllowIP.rulesetid = "ntpClient"
    $ntpAllowIP.ipaddress = "192.168.0.1"
    $esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP) | Out-Null
    $ntpAllowIP.ipaddress = "192.168.0.2"
    $esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP) | Out-Null
}

 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

4 Replies
Leadership
Leadership

Post moved to the VMware PowerCLI Discussions.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Leadership
Leadership

To enable/disable a FW rule you could also use the Set-VMHostFirewallException cmdlet.
But for adding IP addresses you would still need to use the Get-EsxCli.

In your case, using the Get-EsxCli for everything is the more obvious choice.

There is no single right way to do things in PowerCLI, if the script does what you want it to do it is a good script.

Personally, I would make use of the pipeline, the PipelineVariable parameter, avoid the foreach statement, and suppress the Boolean values that are returned (since you don't use them).
Something like this

Get-Cluster -Name MyCluster |
Get-VMHost -PipelineVariable vmhost |
ForEach-Object -Process {
    $esxcli = Get-EsxCli -VMHost $vmhost -V2
    $ntpRuleSet = $esxcli.network.firewall.ruleset.set.CreateArgs()
    $ntpRuleSet.allowedall = "false"
    $ntpRuleSet.rulesetid = "ntpClient"
    $esxcli.network.firewall.ruleset.set.Invoke($ntpRuleSet) | Out-Null
    $ntpAllowIP = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs()
    $ntpAllowIP.rulesetid = "ntpClient"
    $ntpAllowIP.ipaddress = "192.168.0.1"
    $esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP) | Out-Null
    $ntpAllowIP.ipaddress = "192.168.0.2"
    $esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP) | Out-Null
}

 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

Contributor
Contributor

thank you for your help and clarification.

for the 2 last lines in the script is there a way to change it in one line

Like this 

$ntpAllowIP.ipaddress = "ntp1","ntp2"
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP) | Out-Null

 

by the way this way will be used also for other services like SSH NFS where the Allowed IP should be not "All IP"

0 Kudos
Leadership
Leadership

Afaik that is a limitation of the esxcli command itself.
It allows a single IP address (192.168.0.1) or a range (192.168.0.0/24), not an array of IP addresses.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference