Zur Behebung von Problemen mit der Firewall bei einem ESXi-Host können Sie die Firewallregeln überprüfen, die für den Host gelten.

So rufen Sie die Liste der DvFilter auf dem ESXi-Host ab:

[root@esxi-01:~] summarize-dvfilter
<TRUNCATED OUTPUT>
world 70181 vmm0:app-01a vcUuid:'50 35 9c 70 18 8e 99 1d-3c f9 8e cc 6b 27 4c 6f'
 port 50331655 app-01a.eth0
  vNic slot 2
  name: nic-70181-eth0-vmware-sfw.2
 agentName: vmware-sfw
   state: IOChain Attached
   vmState: Detached
   failurePolicy: failClosed
   slowPathID: none
   filter source: Dynamic Filter Creation
world 70179 vmm0:web-02a vcUuid:'50 35 2b f3 4a 4b 10 83-54 72 50 f7 25 10 d8 64'
 port 50331656 web-02a.eth0
  vNic slot 2
  name: nic-70179-eth0-vmware-sfw.2
 agentName: vmware-sfw
   state: IOChain Attached
   vmState: Detached
   failurePolicy: failClosed
   slowPathID: none
   filter source: Dynamic Filter Creation

Suchen Sie einen DvFilter für eine spezifische VM:

[root@esxi-01:~] summarize-dvfilter | less -p web

world 70179 vmm0:web-02a vcUuid:'50 35 2b f3 4a 4b 10 83-54 72 50 f7 25 10 d8 64'
 port 50331656 web-02a.eth0
  vNic slot 2
  name: nic-70179-eth0-vmware-sfw.2
 agentName: vmware-sfw
   state: IOChain Attached
   vmState: Detached
   failurePolicy: failClosed
   slowPathID: none
   filter source: Dynamic Filter Creation
.
.
.

Ermitteln Sie die Firewallregeln, die für einen bestimmten DvFilter gelten (in diesem Beispiel ist nic-70227-eth0-vmware-sfw.2 der Name des DvFilters).

[root@esxi-02:~] vsipioctl getrules -f nic-70227-eth0-vmware-sfw.2
ruleset mainrs {
rule 3072 at 1 inout protocol tcp from any to addrset 48822ec3-2670-497b-82f9-524618c16877 port 443 accept with log;
rule 3072 at 2 inout protocol tcp from any to addrset 48822ec3-2670-497b-82f9-524618c16877 port 80 accept with log;
rule 3074 at 3 inout protocol tcp from addrset 48822ec3-2670-497b-82f9-524618c16877 to addrset 8b9e75e7-bc62-4d7f-9a58-a872f393448e port 8443 accept with log;
rule 3074 at 4 inout protocol tcp from addrset 48822ec3-2670-497b-82f9-524618c16877 to addrset 8b9e75e7-bc62-4d7f-9a58-a872f393448e port 22 accept with log;
rule 3075 at 5 inout protocol tcp from addrset 8b9e75e7-bc62-4d7f-9a58-a872f393448e to addrset b695c8df-9894-4068-a5e7-5504fe48d459 port 3306 accept with log;
rule 3076 at 6 inout protocol tcp from ip 192.168.110.10 to addrset rdst3076 port 443 accept with log;
rule 3076 at 7 inout protocol icmp typecode 8:0 from ip 192.168.110.10 to addrset rdst3076 accept with log;
rule 3076 at 8 inout protocol tcp from ip 192.168.110.10 to addrset rdst3076 port 22 accept with log;
rule 3076 at 9 inout protocol tcp from ip 192.168.110.10 to addrset rdst3076 port 80 accept with log;
rule 2 at 10 inout protocol any from any to any accept with log;
}
 
ruleset mainrs_L2 {
rule 1 at 1 inout ethertype any stateless from any to any accept;
}

So rufen Sie die Liste der Adressensätze ab, die in einem bestimmten DvFilter verwendet werden:

[root@esxi-02:~]  vsipioctl getaddrsets -f nic-70227-eth0-vmware-sfw.2
addrset 48822ec3-2670-497b-82f9-524618c16877 {
ip 172.16.10.13,
mac 52:54:00:42:4d:38,
}
addrset 8b9e75e7-bc62-4d7f-9a58-a872f393448e {
}
addrset b695c8df-9894-4068-a5e7-5504fe48d459 {
ip 172.16.30.11,
mac 52:54:00:64:0e:4f,
}
addrset rdst3076 {
ip 172.16.10.13,
ip 172.16.30.11,
mac 52:54:00:42:4d:38,
mac 52:54:00:64:0e:4f,
}

Überprüfen Sie die Flows über einen bestimmten DvFilter:

[root@esxi-02:~] vsipioctl getflows -f nic-75360-eth0-vmware-sfw.2
Count retrieved from kernel active(L3,L4)=20, active(L2)+inactive(L3,L4)=0, drop(L2,L3,L4)=0
a5d914f7a5b85fe5 Active tcp 0800 IN 3076 0 0  192.168.110.10:Unknown(51281) -> 172.16.10.11:ssh(22) 513 FINWAIT2:FINWAIT2  4304 5177 34 33
a5d914f7a5b86001 Active tcp 0800 OUT 2 0 0  172.16.10.11:http(80) -> 100.64.80.1:Unknown(60006) 457 SYNSENT:CLOSED  56 819 1 1
a5d914f7a5b86006 Active igmp 0800 IN 2 0 0  0.0.0.0 -> 224.0.0.1 36 0 1 0
a5d914f7a5b86011 Active tcp 0800 IN 3072 0 0  100.64.80.1:Unknown(60098) -> 172.16.10.11:http(80) 320 FINWAIT2:FINWAIT2  413 5411 9 6
a5d914f7a5b86012 Active tcp 0800 OUT 3074 0 0  172.16.10.11:Unknown(46001) -> 172.16.20.11:Unknown(8443) 815 FINWAIT2:FINWAIT2  7418 1230 10 9
a5d914f7a5b86013 Active udp 0800 OUT 2 0 0  172.16.10.11:Unknown(40080) -> 192.168.110.10:domain(53)  268 140 2 2
a5d914f7a5b86014 Active udp 0800 OUT 2 0 0  172.16.10.11:Unknown(59251) -> 192.168.110.10:domain(53)  268 140 2 2
a5d914f7a5b86015 Active ipv6-icmp 86dd OUT 2 0 0  fe80::250:56ff:feb5:a60e -> ff02::1:ff62:5ed4 135 0 0 72 0 1
a5d914f7a5b86016 Active ipv6-icmp 86dd OUT 2 0 0  fe80::250:56ff:feb5:a60e -> ff02::1:ff62:5ed4 135 0 0 72 0 1
a5d914f7a5b86017 Active tcp 0800 IN 3072 0 0  100.64.80.1:Unknown(60104) -> 172.16.10.11:http(80) 320 FINWAIT2:FINWAIT2  413 5451 9 7
a5d914f7a5b86018 Active tcp 0800 OUT 3074 0 0  172.16.10.11:Unknown(46002) -> 172.16.20.11:Unknown(8443) 815 TIMEWAIT:TIMEWAIT  7314 1230 8 9
a5d914f7a5b86019 Active tcp 0800 IN 3072 0 0  100.64.80.1:Unknown(60110) -> 172.16.10.11:http(80) 320 FINWAIT2:FINWAIT2  373 5451 8 7
a5d914f7a5b8601a Active tcp 0800 OUT 3074 0 0  172.16.10.11:Unknown(46003) -> 172.16.20.11:Unknown(8443) 815 FINWAIT2:FINWAIT2  7418 1230 10 9
a5d914f7a5b8601b Active tcp 0800 IN 3072 0 0  100.64.80.1:Unknown(60114) -> 172.16.10.11:http(80) 328 TIMEWAIT:TIMEWAIT  413 5451 9 7
a5d914f7a5b8601c Active tcp 0800 OUT 3074 0 0  172.16.10.11:Unknown(46004) -> 172.16.20.11:Unknown(8443) 815 TIMEWAIT:TIMEWAIT  7262 1218 7 9
a5d914f7a5b8601d Active tcp 0800 OUT 2 0 0  172.16.10.11:http(80) -> 100.64.80.1:Unknown(60060) 457 SYNSENT:CLOSED  56 819 1 1
a5d914f7a5b8601e Active tcp 0800 IN 3072 0 0  100.64.80.1:Unknown(60120) -> 172.16.10.11:http(80) 320 TIMEWAIT:TIMEWAIT  373 5411 8 6
a5d914f7a5b8601f Active tcp 0800 OUT 3074 0 0  172.16.10.11:Unknown(46005) -> 172.16.20.11:Unknown(8443) 815 FINWAIT2:FINWAIT2  7418 1230 10 9
a5d914f7a5b86020 Active tcp 0800 IN 3072 0 0  100.64.80.1:Unknown(60126) -> 172.16.10.11:http(80) 229 EST:EST  173 5371 3 5
a5d914f7a5b86021 Active tcp 0800 OUT 3074 0 0  172.16.10.11:Unknown(46006) -> 172.16.20.11:Unknown(8443) 815 FINWAIT2:FINWAIT2  7418 1230 10 9