Fed up! How can we disable / block ICMP (ping) on ESXi 6 hosts? We need an expert!!!

imsuchageek

imsuchageek

Weaksauce
Joined
Jan 5, 2006
Messages
84
We have spent days on this and have gotten no where. Here's the deal. I need to disable ICMP, at a minimum ping/echo, responses from the management IP to all non-local subnets. So in other words, lets say a random ESXi server's IP is 10.10.10.101/24. I need all hosts on 10.10.10.x/24 to respond to pings, but all other hosts on other subnets need to be blocked, such as a host on 10.10.20.x/24.


You would think this is straight forward, but it does not behave how the documentation says it does. I have tried adding rules for TCP/UDP port 7 manually to the host firewall, and only allowing the local subnet, but I'm still pinging away from other hosts on other subnets. Even after refreshing, unloading, reloading, refreshing again, etc. I realize adding manual entries to services.xml will not be persistent through a reboot unless I put a vib together, which I will if that's part of a solution that actually works, but I'm unable to get ping blocked at all. It seems like it's controlled by a mechanism at a higher level than the firewall, which makes no sense to me.


Any insight, ideas, or hep would be greatly appreciated. In the end I need to lock down a lot more than ping to the local network, but that's the most important and a very good start. One might suggest just removing the default gateway, or blocking it at the default gateway. That's not an option here. It must be done on the ESXi host. One more thing, most of these hosts are currently running ESXi 6.0 Update 2, although a couple might still be at baseline 6.0


Thanks in advance,

Mike
 
First of all, any router between 10.10.10.0/24 and other subnets?
Do the machines in your ESXI have their own IPs and if so in what subnet?
Port 7 is not what you probably need; this should be a protocol rule.
Back when IPTables was in there I'd tell you right of the bat how to limit ICMP types and all but not anymore.
 
IPTables would make this very easy. Typically, echo replies to pings can be blocked by blocking port 7, which is why I tried to go that route. There are routers in between the subnets, but due to security policies in place, and for other reason, this has to be applied to each host in some way. Very frustrating on all fronts.

Thanks
 
imsuchageek said:
IPTables would make this very easy. Typically, echo replies to pings can be blocked by blocking port 7, which is why I tried to go that route. There are routers in between the subnets, but due to security policies in place, and for other reason, this has to be applied to each host in some way. Very frustrating on all fronts.

Thanks
Click to expand...

So, let me get this straight.
You have N ESXI hosts in place. One ESXi? Two? Unpredictable/changing number?
This is going to have to be set on ESXi hosts on your protected VLAN, correct?
Blocking echo will not work at all, sorry. ICMP doesn't really care about port numbers. It only has types.
I know too little about the ESXi firewall, but because nobody seems to be chiming in, I'll throw this out:
look here: https://kb.vmware.com/selfservice/m...nguage=en_US&cmd=displayKC&externalId=2042189
This says the management interface will respond to everyone on other subnets. So this is going to be a drop rule sitting early in the rule list. Can ESXi pick protocols for rules? if so, this should be simply drop ICMP from not 10.10.10.0/24 .
If you want me to dick around lemme know.

Edit: crazy idea if this is just for testing: Nest your ESXI within a Linux based vanderpool framework and use IPTables there.
 
The KB article says that routed ICMP requests will be responded to from the same VMKernel that received them. There isn't anything by default in ESXi 6's Security profile to block ICMP.

Since imsuchageek has said that blocking ICMP on the routers between the subnets isn't an option due to security policies (I'd be interested to understand why such a policy was put in place btw, not for any other reason then just understanding the rationale), then a Custom VIB would probably be the only real way at a host level to make that sort of change.
 
imsuchageek said:
We have spent days on this and have gotten no where. Here's the deal. I need to disable ICMP, at a minimum ping/echo, responses from the management IP to all non-local subnets. So in other words, lets say a random ESXi server's IP is 10.10.10.101/24. I need all hosts on 10.10.10.x/24 to respond to pings, but all other hosts on other subnets need to be blocked, such as a host on 10.10.20.x/24.


You would think this is straight forward, but it does not behave how the documentation says it does. I have tried adding rules for TCP/UDP port 7 manually to the host firewall, and only allowing the local subnet, but I'm still pinging away from other hosts on other subnets. Even after refreshing, unloading, reloading, refreshing again, etc. I realize adding manual entries to services.xml will not be persistent through a reboot unless I put a vib together, which I will if that's part of a solution that actually works, but I'm unable to get ping blocked at all. It seems like it's controlled by a mechanism at a higher level than the firewall, which makes no sense to me.


Any insight, ideas, or hep would be greatly appreciated. In the end I need to lock down a lot more than ping to the local network, but that's the most important and a very good start. One might suggest just removing the default gateway, or blocking it at the default gateway. That's not an option here. It must be done on the ESXi host. One more thing, most of these hosts are currently running ESXi 6.0 Update 2, although a couple might still be at baseline 6.0


Thanks in advance,

Mike
Click to expand...

I don't believe you are going to be able to disabe ICMP on the host, vcenter has functions that utilize ICMP. It could help if you could post a sanitized network map, another thing you could do is block ICMP using a firewall
 
Why not just have the network team take care of this at the switch/router level? Pretty easy to do and also where it should be done.
 
KapsZ28 said:
Switches and routers we work with most definitely filter ICMP.
Click to expand...

Yes, but they don't filter ICMP by port number. They can filter the protocol but not by port number because ICMP has no headers above layer 3. Remember port numbers is a layer 4 thing which ICMP packets don't have.
 
AeonF1 said:
Yes, but they don't filter ICMP by port number. They can filter the protocol but not by port number because ICMP has no headers above layer 3. Remember port numbers is a layer 4 thing which ICMP packets don't have.
Click to expand...

Then maybe it my lack of understanding. I read it as the OP has hosts on subnet 1 that he doesn't want to respond to pings on subnet 2. We use ACLs to block ports and ICMP between subnets all the time.
 
KapsZ28 said:
Then maybe it my lack of understanding. I read it as the OP has hosts on subnet 1 that he doesn't want to respond to pings on subnet 2. We use ACLs to block ports and ICMP between subnets all the time.
Click to expand...

Using ACLs to block ICMP isn't really blocking the port but more like blocking the code that signifies that its an ICMP packet. It's neither TCP or UDP but it's own thing. It's also pretty essential in networks like error handling and is used more than just pings.
 
AeonF1 said:
Using ACLs to block ICMP isn't really blocking the port but more like blocking the code that signifies that its an ICMP packet. It's neither TCP or UDP but it's own thing. It's also pretty essential in networks like error handling and is used more than just pings.
Click to expand...

Interesting... Definitely above my networking/security skill set. I am curious of use cases for this.
 
You must log in or register to reply here.
Back
Top