We are not a 'usual' customer as you're possibly already aware (Frank is). So, you have now! Our first attempt was to add over 300 addresses! LOL! Only by being very selective can we get the list down to around 100 entries, which has two problems:
1. We are not sure the list will be complete enough.
2. There is no room for expansion.
We have quite strict requirements to meet in many areas that give us challenges all the time. This is just another one of those.
What is a little disappointing is that this information is not included anywhere in the documentation that covers this topic. All of the guides and material we looked at, even those that described how to populate the list, gave no hints that there was a limit at all, let alone what it actually was.
In finding out that the limit is fixed at 128, we assume came back to the warning in the vSphere Security Guidance (formerly Hardening Guide) which for the "ESXi.firewall-restrict-access" guideline says the firewall should be used to restrict access to services on the host, and further warns that using the firewall beyond protecting access to SSH and web access can affect system performance.
Our thoughts are that this implies that the firewall is very simplistic and that it has to search the allow list for the source-IP of every packet received, meaning increase latency for packets coming from nodes far down the list, and that 128 might be a practical limit where these searches start becoming unacceptably long. Would that be right?
Thanks for the response though.
Whilst I have your attention...
Would I be right in saying that the firewall acts on all traffic inbound and outbound from all VMKernel adapters?
So it would also affect iSCSI storage traffic?