之前通过 web 页面配置了仅允许 172.22.110.10 通过 web 页面进行访问,导致我本机无法访问,好在 ssh 可以连接,通过命令修改规则即可。
- 查看命令帮助信息
[root@NODE12:~] esxcli --help
Usage: esxcli [options] {namespace}+ {cmd} [cmd options]
Options:
--formatter=FORMATTER
Override the formatter to use for a given command. Available formatter: keyvalue, xml, csv
--debug Enable debug or internal use options
--version Display version information for the script
-?, --help Display usage information for the script
Available Namespaces:
device Device manager commands
esxcli Commands that operate on the esxcli system itself allowing users to get additional information.
fcoe VMware FCOE commands.
graphics VMware graphics commands.
hardware VMKernel hardware properties and commands for configuring hardware.
iscsi VMware iSCSI commands.
network Operations that pertain to the maintenance of networking on an ESX host. This includes a wide variety of commands to manipulate virtual networking components
(vswitch, portgroup, etc) as well as local host IP, DNS and general host networking settings.
nvme VMware NVMe driver esxcli extensions
rdma Operations that pertain to remote direct memory access (RDMA) protocol stack on an ESX host.
sched VMKernel system properties and commands for configuring scheduling related functionality.
software Manage the ESXi software image and packages
storage VMware storage commands.
system VMKernel system properties and commands for configuring properties of the kernel core system and related system services.
vm A small number of operations that allow a user to Control Virtual Machine operations.
vsan VMware vSAN commands
- 查看防火墙状态,发现状态为启用,不建议直接关闭防火墙,容易被攻击
[root@NODE12:~] esxcli network firewall get Default Action: DROP Enabled: true Loaded: true
- 查看防火墙配置规则 ip 地址,vSphereClient 172.22.110.10 即配置的仅允许该地址通过 web 访问。
[root@NODE12:~] esxcli network firewall ruleset allowedip list Ruleset Allowed IP Addresses ---------------------- -------------------- sshServer All sshClient All nfsClient All nfs41Client All dhcp All dns All snmp All ntpClient All CIMHttpServer All CIMHttpsServer 172.22.110.0/24 CIMSLP All iSCSI All vpxHeartbeats All updateManager All faultTolerance All webAccess All vMotion All vSphereClient 172.22.110.10 activeDirectoryAll All NFC All HBR All ftpClient All httpClient All gdbserver All DVFilter All DHCPv6 All DVSSync All syslog All WOL All vSPC All remoteSerialPort All rdt All cmmds All rabbitmqproxy All ipfam All vvold All iofiltervp All esxupdate All vit All vsanEncryption All pvrdma All vic-engine All vsanhealth-unicasttest All
- 将本机 ip 地址加入对应的规则集中,-i 为加入指定的 ip 地址,-r 为加入指定的规则集(ruleset)
[root@NODE12:~] esxcli network firewall ruleset allowedip add -i 172.22.110.20 -r vSphereClient
- 查看规则是否生效,可以看到已经将本机 ip 加入规则集中
[root@NODE12:~] esxcli network firewall ruleset allowedip list Ruleset Allowed IP Addresses ---------------------- ----------------------------- sshServer All sshClient All nfsClient All nfs41Client All dhcp All dns All snmp All ntpClient All CIMHttpServer All CIMHttpsServer 172.22.190.0/24 CIMSLP All iSCSI All vpxHeartbeats All updateManager All faultTolerance All webAccess All vMotion All vSphereClient 172.22.110.10, 172.22.110.20 activeDirectoryAll All NFC All HBR All ftpClient All httpClient All gdbserver All DVFilter All DHCPv6 All DVSSync All syslog All WOL All vSPC All remoteSerialPort All rdt All cmmds All rabbitmqproxy All ipfam All vvold All iofiltervp All esxupdate All vit All vsanEncryption All pvrdma All vic-engine All vsanhealth-unicasttest All
- 访问 web 端验证,成功
更多命令可以参考 百度知道
