View Only

Hardening ESXi, firewall ruleset allowedip

  • 1.  Hardening ESXi, firewall ruleset allowedip

    Posted Jul 02, 2021 03:40 PM

    Hello all,

    I would like to harden a single ESXi instance that doesn't need to be connected to any vCenter or other services.
    It's infact managed only locally via KVM, Web access and SSH, using only certain IPs.

    The instance is just an ESXi deployed with out-of-the-box default configuration, nothing custom or else.
    Just created a datastore and a couple of VMs that are working fine.

    I am putting behind a firewall allowedip rule, any service that doesn't need to be publicly exposed.
    My question is: what to restrict safely without breaking ESXi functionalities, sensors or self diagnostic?

    I done some tests but I guess it's better to ask for some services that I don't know precisely.
    I guess the following services can of course be placed safely behind an allowedip rule (tested):

    • sshServer
    • webAccess
    • httpClient
    • updateManager
    • vMotion
    • vSphereClient

    The following services I guess should remain exposed (tested, without dns service, ESXi loses part of it's network configuration):

    • dns

    But what about the following services? What is safe to put behind a rule, what its needed to be necessarly exposed or without a rule?

    • dhcp
    • sshClient
    • nfsClient
    • nfs41Client
    • dhcp
    • snmp
    • ntpClient
    • CIMHttpServer
    • CIMHttpsServer
    • CIMSLP
    • iSCSI
    • vpxHeartbeats
    • faultTolerance
    • activeDirectoryAll
    • NFC
    • HBR
    • ftpClient
    • gdbserver
    • DVFilter
    • DHCPv6
    • DVSSync
    • syslog
    • WOL
    • vSPC
    • remoteSerialPort
    • rdt
    • cmmds
    • rabbitmqproxy
    • ipfam
    • vvold
    • iofiltervp
    • esxupdate
    • vit
    • vsanEncryption
    • pvrdma
    • vic-engine
    • vsanhealth-unicasttest

    Thanks to everyoone that will clarify my doubt!