imsuchageek
Weaksauce
- Joined
- Jan 5, 2006
- Messages
- 84
We have spent days on this and have gotten no where. Here's the deal. I need to disable ICMP, at a minimum ping/echo, responses from the management IP to all non-local subnets. So in other words, lets say a random ESXi server's IP is 10.10.10.101/24. I need all hosts on 10.10.10.x/24 to respond to pings, but all other hosts on other subnets need to be blocked, such as a host on 10.10.20.x/24.
You would think this is straight forward, but it does not behave how the documentation says it does. I have tried adding rules for TCP/UDP port 7 manually to the host firewall, and only allowing the local subnet, but I'm still pinging away from other hosts on other subnets. Even after refreshing, unloading, reloading, refreshing again, etc. I realize adding manual entries to services.xml will not be persistent through a reboot unless I put a vib together, which I will if that's part of a solution that actually works, but I'm unable to get ping blocked at all. It seems like it's controlled by a mechanism at a higher level than the firewall, which makes no sense to me.
Any insight, ideas, or hep would be greatly appreciated. In the end I need to lock down a lot more than ping to the local network, but that's the most important and a very good start. One might suggest just removing the default gateway, or blocking it at the default gateway. That's not an option here. It must be done on the ESXi host. One more thing, most of these hosts are currently running ESXi 6.0 Update 2, although a couple might still be at baseline 6.0
Thanks in advance,
Mike
You would think this is straight forward, but it does not behave how the documentation says it does. I have tried adding rules for TCP/UDP port 7 manually to the host firewall, and only allowing the local subnet, but I'm still pinging away from other hosts on other subnets. Even after refreshing, unloading, reloading, refreshing again, etc. I realize adding manual entries to services.xml will not be persistent through a reboot unless I put a vib together, which I will if that's part of a solution that actually works, but I'm unable to get ping blocked at all. It seems like it's controlled by a mechanism at a higher level than the firewall, which makes no sense to me.
Any insight, ideas, or hep would be greatly appreciated. In the end I need to lock down a lot more than ping to the local network, but that's the most important and a very good start. One might suggest just removing the default gateway, or blocking it at the default gateway. That's not an option here. It must be done on the ESXi host. One more thing, most of these hosts are currently running ESXi 6.0 Update 2, although a couple might still be at baseline 6.0
Thanks in advance,
Mike