Wednesday, September 7, 2011

The new esxi firewall

Esxi introduces a brand new service oriented firewall (not based on iptables).
It can be manipulated with the gui or the cli. It also allows new rules to be added if necessary via the implementation of xml files.

Demo:

# grep firewall /etc/vmware/esx.conf

# more /var/log/esxcli.log

# esxcli network firewall get

# esxcli network firewall ruleset list

# vi /etc/vmware/firewall/fake-ftp.xml
<configroot>
<service>
<id>fake-ftp</id>
<rule id='0000'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<port>21</port>
</rule>
<enabled>false</enabled>
<required>false</required>
</service>
</configroot>

# esxcli network firewall refresh
# esxcli network firewall ruleset list
# esxcli network firewall ruleset rule list | grep fake-ftp

Note:
If you prefer to edit the default file, back it up first and add a sticky bit to it.
# chmod 1777 service.xml

No comments:

Post a Comment