emscom > emscom Help Desk > Knowledgebase

Search help:

ESXi 6 firewall configuration


There appears to be an undocumented bug in the ESXi web client, whereby the user interface prevents adding IP addresses to the Allowed IP list.  To workaround the IP and network addresses should be added to the ban list using the ESXi shell (SSH) - See Warning.

Note:  IP Address refers to CIDR notation encompassing individual hosts and subnets.


Fault Summary

By default the ESXi firewall allows connection from all IP addresses, to all services.  In the default configuration the sshServer service is vulnerable to brute force attacks that may cause the root account to be locked out.  An Allowed IP address list can be enabled and configured for each service.  However,  the Web Client appears to suffer a bug whereby only the currently connected client IP is added to the Allow list, and any other additions are dropped silently by the user interface. To work around the bug in the Web Client the esxcli shell command can be used to add IPs to the Allowed IP list - See Warning.



Before adding addresses (over ssh) the Allowed IP list should first be enabled using the Web Client.

DO NOT attempt to enable the Allowed IP list for the sshServer service over an active ssh connection. The Allowed IP list must be enabled before IP addresses can be added.  Enabling the Allowed IP list over an ssh connection will immediately disconnect and disallow the ssh client.


Workaround - Configure ESXi firewall rules from the ESX shell

1. Enable Allowed IP list

Using the ESXi Web Client navigate to the \Networking\Firewall tab

Select the service of interest (sshServer) then click the Actions menu and select Edit Settings

Select the option to Only allow connections from the following networks

Click OK.  The current web client IP is added to the Allowed IP list


2. Add addresses to the Allowed IP list using esxcli command.

Open an SSH connection to the ESXi server.

Show firewall services and rule-set id using the command

 network firewall ruleset list

Show the allowed IP list for the sshServer service using the command

 esxcli network firewall ruleset allowedip list --ruleset-id=sshServer

Add allowed IP to the sshServer service with the following command

 esxcli network firewall ruleset allowedip add --ip-address= --ruleset-id=sshServer

Repeat for additional addresses and subnets

Verify the contents of allow list with the following command

 esxcli network firewall ruleset allowedip list --ruleset-id=sshServer

Reload the firewall rule-set with the following command

  esxicli network firewall refresh



Was this article helpful? yes / no
Related articles QNAP Factory Defaults
DMARC cheat sheet
Disable NLA on XP Remote Desktop Client
QNAP Shared Folders
ESXi 5.0, 5.1, 5.5 Cannot connect from VSphere client on XP
Article details
Article ID: 125
Category: Virtualisation
Date added: 27-12-2019 09:49:50
Views: 122
Rating (Votes): Article not rated yet (0)

« Go back

Powered by Help Desk Software HESK, in partnership with SysAid Technologies