Security‎ > ‎

Set Firewall RuleSets for Clusters/Datacenters

posted May 29, 2014, 12:11 PM by Kris Knight   [ updated Jun 14, 2016, 11:43 AM ]
When setting firewall rules to only accept connections from certain IPs or IP subnets sometimes, host profiles just doesn't cut it or you don't have the licensing for host profiles. So, I designed this script to simplify making changes for those secure environments you may be working in. I plan to expand on this to include the enablement and disablement of certain rulesets as well.
Modified to resolve issues with new clusters. New hosts might have the allow all set. if this is the case the ruleset is changed to explicit only first.
Happy Scripting!

P.S. The ValidateSet allows you to tab through the different options/rulesets, so have fun with it.



################################################################################
#Author: KnightUSN
#Add or Remove IP's to Firewall
#v1.0 - MAY2014
#USAGE: ./ClusterFirewall "Cluster or Datacenter" <RuleSet> Add/Remove <IP/MASK>
#
#Example: ./ClusterFirewall Cluster1 sshServer add 192.168.1.0/24
#This would add 192.168.1.0/24 to the allowed firewall IP list for SSH Access in the Security Profile for all Hosts in Cluster1
#
#This was designed to simplify changes to host firewall rules for secure environments

################################################################################

[CmdletBinding()]
Param(
    [Parameter(Mandatory=$True)]
    [string]$vCluster,

    [Parameter(Mandatory=$True)]
    [ValidateSet("sshServer", "sshClient","nfsClient", "dhcp", "dns", "snmp", "ntpClient", "CIMHttpServer", "CIMHttpsServer", "CIMSLP", "iSCSI", "vpxHeartbeats", "updateManager", "faultTolerance", "webAccess", "vMotion", "vSphereClient", "activeDirectoryAll", "NFC", "HBR", "ftpClient", "httpClient", "gdbserver", "DVFilter", "DHCPv6", "DVSSync", "syslog", "IKED", "WOL", "vSPC", "remoteSerialPort", "netDump", "fdm", "dynamicruleset")]
    [string]$RuleSet,
   
    [Parameter(Mandatory=$True)]
    [ValidateSet("Add","Remove")]
    [string]$AddRemove,
   
    [Parameter(Mandatory=$True)]
    [string]$IPaddress
)

$vHosts = Get-VMHost -Location $vCluster

ForEach($vHost in $vHosts){
$esxcli = Get-EsxCli -VMHost $vHost
 If(($esxcli.network.firewall.ruleset.allowedip.list($RuleSet) | select AllowedIPAddresses).AllowedIPAddresses -eq "All"){
  If($AddRemove -eq "Add"){
   Write-Host "Configuring $RuleSet on $vHost to ALLOW $IPaddress" 
   $esxcli.network.firewall.ruleset.set($False, $True, $RuleSet)
   $esxcli.network.firewall.ruleset.allowedip.add($IPaddress, $RuleSet)
   $esxcli.network.firewall.refresh()
  }
  If($AddRemove -eq "Remove"){
   Write-Host "Configuring $RuleSet on $vHost to REMOVE $IPaddress"
   $esxcli.network.firewall.ruleset.set($False, $True, $RuleSet)
   $esxcli.network.firewall.ruleset.allowedip.remove($IPaddress, $RuleSet)
   $esxcli.network.firewall.refresh()
  }
 }
 Else{
  if($AddRemove -eq "Add"){
   Write-Host "Configuring $RuleSet on $vHost to ALLOW $IPaddress" 
   $esxcli.network.firewall.ruleset.allowedip.add($IPaddress, $RuleSet)
   $esxcli.network.firewall.refresh()
  }
  if($AddRemove -eq "Remove"){
   Write-Host "Configuring $RuleSet on $vHost to REMOVE $IPaddress"       
   $esxcli.network.firewall.ruleset.allowedip.remove($IPaddress, $RuleSet)
   $esxcli.network.firewall.refresh()
  }
 }
}
Comments