appliance networking firewall inbound: set
Set the ordered list of firewall rules to allow or deny traffic from one or more incoming IP addresses. This overwrites the existing firewall rules and creates a new rule list. Within the list of traffic rules, rules are processed in order of appearance, from top to bottom. For example, the list of rules can be as follows:
In the above example, the first rule drops all packets originating from 10.112.0.1 and
the second rule accepts all packets originating from 10.112.0.1 only on nic0. In effect, the second rule is always ignored which is not desired, hence the order has to be swapped. When a connection matches a firewall rule, further processing for the connection stops, and the appliance ignores any additional firewall rules you have set. This operation was added in vSphere API 6.7.1.
| Address | Prefix | Interface Name | Policy |
|---|---|---|---|
| 10.112.0.1 | 0 | * | REJECT |
| 10.112.0.1 | 0 | nic0 | ACCEPT |
the second rule accepts all packets originating from 10.112.0.1 only on nic0. In effect, the second rule is always ignored which is not desired, hence the order has to be swapped. When a connection matches a firewall rule, further processing for the connection stops, and the appliance ignores any additional firewall rules you have set. This operation was added in vSphere API 6.7.1.
Request:
HTTP request
PUT https://{server}/rest/appliance/networking/firewall/inbound
Request Body Structure:
{
"rules" : [
{
"address" : "string",
"prefix" : 1,
"interface_name" : "string",
"policy" : "IGNORE"
},
{
"address" : "string",
"prefix" : 1,
"interface_name" : "string",
"policy" : "IGNORE"
}
]
}
"rules" : [
{
"address" : "string",
"prefix" : 1,
"interface_name" : "string",
"policy" : "IGNORE"
},
{
"address" : "string",
"prefix" : 1,
"interface_name" : "string",
"policy" : "IGNORE"
}
]
}
Request Body Parameters:
| Name | Type | Description |
|---|---|---|
| bold = required | ||
| rules | rule[] | List of address-based firewall rules. |
| rules[].address | string | IPv4 or IPv6 address. This attribute was added in vSphere API 6.7.1. |
| rules[].prefix | long | CIDR prefix used to mask address. For example, an IPv4 prefix of 24 ignores the low-order 8 bits of address. This attribute was added in vSphere API 6.7.1. |
| rules[].policy | string | The allow or deny policy of this rule. This attribute was added in vSphere API 6.7.1. Defines firewall rule policies. This enumeration was added in vSphere API 6.7.1. Value is one of: IGNORE: Drop packet with correpsonding address. This constant was added in vSphere API 6.7.1. ACCEPT: Allow packet with corresponding address. This constant was added in vSphere API 6.7.1. REJECT: Drop packet with corresponding address sending destination is not reachable. This constant was added in vSphere API 6.7.1. RETURN: Apply default or port-specific rules to packet with corresponding address. This constant was added in vSphere API 6.7.1. |
| rules[].interface_name | string | The interface to which this rule applies. An empty string indicates that the rule applies to all interfaces. This attribute was added in vSphere API 6.7.1. Optional. |
Response:
HTTP Status Code: 200
NoneErrors:
| HTTP Status Code | Type | Description |
|---|---|---|
| 500 | error | Generic error |