最後更新: 2019-09-13
介紹
* ESXi 5.x has a new firewall engine that is not based on iptables
* The firewall is enabled by default
* allows (ICMP) pings and communication with DHCP and DNS (UDP only) clients.
Check Host version
vmware -v
VMware ESXi 5.1.0 build-799733
Set by GUI (vSphere Client)
Configuration > Security Profile
Set by CLI
# 查看 fw 有無 enbale
esxcli network firewall get
Default Action: DROP Enabled: true Loaded: true
# Disable FW for test
esxcli network firewall set -e false
# 查看現在有的 rule
esxcli network firewall ruleset allowedip list
Ruleset Allowed IP Addresses
------------------ --------------------
sshServer All
sshClient All
nfsClient
dhcp All
dns All
snmp All
ntpClient All
CIMHttpServer All
CIMHttpsServer All
esxcli network firewall ruleset list
Name Enabled ------------------ ------- sshServer true sshClient false nfsClient true dhcp true dns true
# 設定
# Refresh the firewall configuration by reading the rule set files if the firewall module is loaded.
configure file: /etc/vmware/firewall/service.xml (permission: -r--r--r--)
<ConfigRoot> <!-- Known and blessed servives --> <service id='0000'> <id>sshServer</id> <rule id='0000'> # 一個 service 可以有多條 rule <direction>inbound</direction> <protocol>tcp</protocol> <porttype>dst</porttype> <port>22</port> </rule> <enabled>true</enabled> <required>true</required> </service> <service id='0001'> <id>sshClient</id> <rule> <direction>outbound</direction> <protocol>tcp</protocol> <porttype>dst</porttype> <port>22</port> </rule> <enabled>false</enabled> <required>false</required> </service> ................... </ConfigRoot>
esxcli network firewall refresh
# Allow access to the rule set from the specified IP address or range of IP addresses.
esxcli network firewall ruleset allowedip add
esxcli network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 192.168.1.0/24
# Remove access to the rule set from the specified IP address or range of IP addresses.
esxcli network firewall ruleset allowedip remove
令 service.xml 可以 R/W
Modify the access permissions of the service.xml file to allow writes by running the chmod command:
# To allow writes:
chmod 644 /etc/vmware/firewall/service.xml
# To toggle the sticky bit flag:
chmod +t /etc/vmware/firewall/service.xml
# vi no auto-indent
:set noai
# 修改完後, 記得
chmod 444 /etc/vmware/firewall/service.xml
加入自己的 FW rule
# Enable wget to another port
在 /etc/vmware/firewall/service.xml 加入
<service id="0033"> <id>Port8080</id> <rule id='0000'> <direction>outbound</direction> <protocol>tcp</protocol> <porttype>dst</porttype> <port>8080</port> </rule> <enabled>true</enabled> <required>false</required> </service>
esxcli network firewall refresh
Keep rule after reboot
custom ESXi firewall rule will not persist after a reboot,
so you should create a custom VIB / local.sh to ensure it persists after a system reboot.
# out
/etc/rc.local.d/local.sh
/bin/cat > /etc/vmware/firewall/email.xml << EOF
<ConfigRoot>
<service>
<id>email</id>
<rule id="0000">
<direction>outbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>25</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
</ConfigRoot>
EOF
/sbin/esxcli network firewall refresh
exit 0
# inbound connection
/bin/cat > /etc/vmware/firewall/ESXiPanel.xml << EOF <ConfigRoot> <service id='0000'> <id>ESXiPanel</id> <rule id='0000'> <direction>inbound</direction> <protocol>tcp</protocol> <porttype>dst</porttype> <port>7443</port> </rule> <enabled>true</enabled> <required>true</required> </service> </ConfigRoot> EOF /sbin/esxcli network firewall refresh exit 0
查看有什麼 Connection
esxcli network ip connection list
localcli
localcli 的強大之處在於它不需依賴 hostd, 它可以直接行
localcli network firewall ruleset list
Change Management Port
ESXi 7
/etc/vmware/rhttpproxy/config.xml
<proxy> <auditLogging>true</auditLogging> <!-- default location of the proxy config file --> <endpoints>/etc/vmware/rhttpproxy/endpoints.conf</endpoints> <!-- HTTP port to be used by the reverse proxy --> <httpPort>80</httpPort> <!-- HTTPS port to be used by the reverse proxy --> <httpsPort>8443</httpsPort> </proxy>
/etc/init.d/rhttpproxy restart
/etc/vmware/firewall/service.xml
<service id='0017'> <id>vSphereClient</id> <rule id='0000'> <direction>inbound</direction> <protocol>tcp</protocol> <porttype>dst</porttype> <port>902</port> </rule> <rule id='0001'> <direction>inbound</direction> <protocol>tcp</protocol> <porttype>dst</porttype> <port>443</port> </rule> <enabled>true</enabled> <required>true</required> </service>
Or
/etc/vmware/firewall/changes.xml
<ConfigRoot> <service> <id>changedport</id> <rule id='0000'> <direction>inbound</direction> <protocol>tcp</protocol> <porttype>dst</porttype> <port>8443</port> </rule> <enabled>true</enabled> <required>false</required> </service> </ConfigRoot>
esxcli network firewall refresh
* To make it permanent you need to do the same but save it inside a VIB
Show listen port
lsof | grep SOCKET_INET
moid
moid = Managed Object ID
VMware internal identifier that is generated by vSphere when new objects like VMs are created
Type:
- Virtual machine # 建立時就有, 與開關機無關
- Datastore
- Datacenter
- Resource pool
- ESXi host
Get VM moid
vim-cmd vmsvc/getallvms
Cheat list
esxcli network firewall get
esxcli network firewall set -e false
esxcli network firewall ruleset list
esxcli network firewall ruleset allowedip list
esxcli network ip connection list
localcli network firewall ruleset list