Manage the ESXi Firewall

To minimize the risk of an attack through the management interface, ESXi includes a firewall between the management interface and the network.

To ensure the integrity of the host, only a small number of firewall ports are open by default. The vSphere Security documentation explains how to set up firewalls for your environment and which ports you might have to temporarily enable for certain traffic.

You manage firewalls by setting up firewall rulesets. The vSphere Security documentation explains how to perform these tasks by using the vSphere Client. You can also use esxcli network firewall to manage firewall rulesets and to retrieve information about them. Specify one of the options listed in Connection Options for ESXCLI Host Management Commands in place of <conn_options>.

Procedure

  1. Check firewall status and sshServer ruleset status. 
    esxcli <conn_options> network firewall get

Default Action: DROP
Enabled: true
Loaded: true

esxcli <conn_options> network firewall ruleset list --ruleset-id sshServer

Name       Enabled
---------  -------
sshServer     true
  2. Enable the sshServer ruleset if it is disabled. 
    esxcli <conn_options> network firewall ruleset set --ruleset-id sshServer --enabled true
  3. Obtain access to the ESXi Shell and check the status of the allowedAll flag. 
    esxcli <conn_options> network firewall ruleset allowedip list --ruleset-id sshServer

Ruleset    Allowed IP Addresses
---------  --------------------
sshServer  All
    See Getting Started with ESXCLI for information on accessing the ESXi Shell.
  4. Set the status of the allowedAll flag to false. 
    esxcli <conn_options> network firewall ruleset set --ruleset-id sshServer --allowed-all false
  5. Add the list of allowed IP addresses. 
    esxcli <conn_options> network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 192.XXX.1.0/24
esxcli <conn_options> network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 192.XXX.10.10
  6. Check the allowed IP address list. 
    esxcli <conn_options> network firewall ruleset allowedip list --ruleset-id sshServer

Ruleset    Allowed IP Addresses
---------  -----------------------------
sshServer  192.XXX.10.10, 192.XXX.1.0/24