In recent LAB environment reviewing, I noticed my LAB ESXi hosts allow connections from all IP address for NTP services. This is not the best practices for the solid environment. I want to specify certain IP addresses are allowed in case of vulnerabilities in NTP services. There are a lot of blogs talking about how to enable/disable firewall ruleset but no one talks about how to do so. Following is what I figured out. Please let me know if you see anything I can improve.
# Please connect to vCenter Server by Connect-ViServer before use this script. $vmhosts = Get-VMHost -Location esxiCluster foreach($vmhost in $vmhosts){ $esxcli=get-esxcli -vmhost $vmhost -V2 $ntpRuleSet = $esxcli.network.firewall.ruleset.set.CreateArgs() $ntpRuleSet.allowedall="false" $ntpRuleSet.rulesetid="ntpClient" $esxcli.network.firewall.ruleset.set.Invoke($ntpRuleSet) $ntpAllowIP = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() $ntpAllowIP.rulesetid="ntpClient" $ntpAllowIP.ipaddress="192.168.0.1" $esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP) $ntpAllowIP.ipaddress="192.168.0.1" $esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP) }
The red text is customized parameters. Please change accordingly.
The script gets all ESXi hosts details in the specified location, you can use a cluster name, ESXi name, or folder. Then it disables “Allow connections from any IP address” option of the ruleset, and add 2 IP addresses to the ruleset.