Closed dcarlojr closed 6 years ago
List of ports to exclude: https://kb.vmware.com/s/article/2039095
Following PRs needs to be merged (following the instructions in the PRs):
Related vOneCloud issue https://github.com/OpenNebula/vonecloud/issues/11, will be fixed before next vOneCloud release.
Bug Report
Version of OpenNebula
Component
Description
The fw-vnc package for ESXi creates a firewall rule that opens ports 5900-65535. When a specific host is specified (ie esxcli network firewall ruleset allowedip add --ruleset-id VNC --ip-address 192.168.0.1/32) as the source, the ESXi host will restrict traffic to that specific hosts (ex 192.168.0.1/32) for other rules in the range of 5900-65535. I found this issue after the fw-vnc package broke vSAN by inadvertently blocking port 8080. As a workaround, I created a new firewall service in /etc/vmware/firewall that only opens 5900-5978. Any higher and I'm afraid of breaking the ESXi CIM service.
Expected Behavior
The /etc/vmware/firewall/vnc.xml file allowing traffic to all ports from 5900 and up to a specific host
Actual Behavior
Somehow, the VNC firewall rule in the fw-vnc package steps on other services in the 5900-65535 range.
How to reproduce
# esxcli software vib install -v /tmp/fw-vnc.vib
Enhancement Request
Description
Use case
Interface Changes
Progress Status