We're trying to work on ESXi 5 hardening setting ID config-firewall-access. With the vSphere Client, VMware's hardening guide says "For each enabled service, (e.g. ssh, vSphere Web Access, http client), select "Firewall", select "Only allow connections from the following networks" and provide a range of authorized IP addresses." Naturally, we'd like to script this but I'm new to PowerCLI scripting so it is not going well. Has anyone been able to come up with some code to comply with this setting?
There is a link to the guide at http://communities.vmware.com/docs/DOC-19056.
Welcome to the VMware VMTN Communities!
The following PowerCLI script will select "Only allow connections from the following networks" and set the allowed IP range to 192.168.0.0/24 and will also set the allowed IP address 192.168.1.2 to all enabled services on all hosts in your environment.
$spec = New-Object VMware.Vim.HostFirewallRulesetRulesetSpec $spec.allowedHosts = New-Object VMware.Vim.HostFirewallRulesetIpList $spec.allowedHosts.ipAddress = New-Object System.String[] (1) $spec.allowedHosts.ipAddress[0] = "192.168.1.2" $spec.allowedHosts.ipNetwork = New-Object VMware.Vim.HostFirewallRulesetIpNetwork[] (1) $spec.allowedHosts.ipNetwork[0] = New-Object VMware.Vim.HostFirewallRulesetIpNetwork $spec.allowedHosts.ipNetwork[0].network = "192.168.0.0" $spec.allowedHosts.ipNetwork[0].prefixLength = 24 $spec.allowedHosts.allIp = $false $VMHost = Get-VMHost | ForEach-Object { if ($_) { $FirewallSystem = Get-View -Id $VMHost.ExtensionData.ConfigManager.Firewallsystem $FirewallSystem.FirewallInfo.RuleSet | Where-Object {$_.Enabled} | ForEach-Object { if ($_) { $FirewallSystem.UpdateRuleset($_.Key, $spec) } } } }
To generate the lines in the script that start with $spec I used VMware Project Onyx. This is a very easy tool that allows you to do something in the vSphere client and generate the corresponding PowerCLI code. Like a macro recorder. You can use Onyx to generate the specific HostFirewallRulesetRulesetSpec for your environment.
Regards, Robert
Welcome to the VMware VMTN Communities!
The following PowerCLI script will select "Only allow connections from the following networks" and set the allowed IP range to 192.168.0.0/24 and will also set the allowed IP address 192.168.1.2 to all enabled services on all hosts in your environment.
$spec = New-Object VMware.Vim.HostFirewallRulesetRulesetSpec $spec.allowedHosts = New-Object VMware.Vim.HostFirewallRulesetIpList $spec.allowedHosts.ipAddress = New-Object System.String[] (1) $spec.allowedHosts.ipAddress[0] = "192.168.1.2" $spec.allowedHosts.ipNetwork = New-Object VMware.Vim.HostFirewallRulesetIpNetwork[] (1) $spec.allowedHosts.ipNetwork[0] = New-Object VMware.Vim.HostFirewallRulesetIpNetwork $spec.allowedHosts.ipNetwork[0].network = "192.168.0.0" $spec.allowedHosts.ipNetwork[0].prefixLength = 24 $spec.allowedHosts.allIp = $false $VMHost = Get-VMHost | ForEach-Object { if ($_) { $FirewallSystem = Get-View -Id $VMHost.ExtensionData.ConfigManager.Firewallsystem $FirewallSystem.FirewallInfo.RuleSet | Where-Object {$_.Enabled} | ForEach-Object { if ($_) { $FirewallSystem.UpdateRuleset($_.Key, $spec) } } } }
To generate the lines in the script that start with $spec I used VMware Project Onyx. This is a very easy tool that allows you to do something in the vSphere client and generate the corresponding PowerCLI code. Like a macro recorder. You can use Onyx to generate the specific HostFirewallRulesetRulesetSpec for your environment.
Regards, Robert
The guide you have linked to is now out of date.
Please refer to the official release
http://communities.vmware.com/docs/DOC-19605
This release include PowerCLI, vCLI, shell examples for all of the recommendations.
It is a great doco imo.