VMware Cloud Community
vSohill
Expert
Expert
‎10-14-2016 10:58 AM
Jump to solution

Block ssh and ICMP for VMs on VDS

Hi,

Can I stop ssh or ping to some VMS fro VDS PortGroup ?

0 Kudos
1 Solution

Accepted Solutions
MKguy
Virtuoso
Virtuoso
‎10-17-2016 03:02 AM
Jump to solution

You have to select the appropriate layer 4 transport protocol, which is TCP in this case. Then you can enter the layer 4 destination port to match, which is port 22 for SSH:

dzfd.png

-- http://alpacapowered.wordpress.com

View solution in original post

0 Kudos
8 Replies
MKguy
Virtuoso
Virtuoso
‎10-14-2016 11:51 AM
Jump to solution

If you're on 5.5 or later you can use the traffic filtering feature of the VDS, which allows you to define basic ACLs based on Layer 2 and 3 Source/Destination as well as layer 4 ports. Note that you need to use the Web Client to access these settings in the VDS.

Refer to the documentation for more information on how to enable traffic filtering:

Filter Traffic on a Distributed Port Group or Uplink Port Group

I would prefer implementing a proper firewall though.

-- http://alpacapowered.wordpress.com
0 Kudos
Dee006
Hot Shot
Hot Shot
‎10-15-2016 06:27 AM
Jump to solution

I prefer you to use the vshield or any virtual firewall VM in front of your VM to restrict the port policy incase you don't have facility in your firewall.

vShield Available as standlone with vsphere 5.5 or less and vSphere 6 onwards you need to use the along with NSX.

0 Kudos
vSohill
Expert
Expert
‎10-15-2016 11:05 AM
Jump to solution

Can VDS do that without VNS or NSX ?

0 Kudos
vSohill
Expert
Expert
‎10-16-2016 09:54 AM
Jump to solution

from this opetion i can drop icmp , But how can i drop ssh ?

pastedImage_0.png

0 Kudos
MKguy
Virtuoso
Virtuoso
‎10-17-2016 03:02 AM
Jump to solution

You have to select the appropriate layer 4 transport protocol, which is TCP in this case. Then you can enter the layer 4 destination port to match, which is port 22 for SSH:

dzfd.png

-- http://alpacapowered.wordpress.com
0 Kudos
vSohill
Expert
Expert
‎10-17-2016 10:19 AM
Jump to solution

Great, Thank you.

In my screenshot, Does the ACL will be applied for port ID 16 only, mean only the VM that linked to port 16 not the others VMs and the PG. Am I assuming right ?

pastedImage_0.png

0 Kudos
MKguy
Virtuoso
Virtuoso
‎10-17-2016 12:54 PM
Jump to solution

Yes, rules defined on individual dvports only apply to that dvport and not to the entire port group.

Just be aware that with filtering both Ingress/Egress, your VM will not be able to establish outboud SSH connections either. If you just want to filter SSH connections TO and not FROM the port you need to set the rule to Egress only as Egress/Ingress traffic is always seen from the VDS point of view.

-- http://alpacapowered.wordpress.com
vSohill
Expert
Expert
‎10-19-2016 01:11 AM
Jump to solution

Thank you

0 Kudos