Cannot add allowed IP addresses for "NFS Client" in ESXi host 8.0 U2b or later
Article ID: 372409
Updated On:
Products
VMware vSphere ESXi 8.0
Issue/Introduction
- Update option for Incoming/Outgoing Firewall "NFS Client" in ESXi 8.0 U2b or later is greyed out.
- Attempting to make changes to certain services such as NFS Client or nfs41Client under the ESXi host's Configure -> System -> Firewall returns an error message similar to the below:
Apply security profile failed! Cannot change the host configuration. Invalid operation requested: Can not change allowed ip list of this ruleset, it is owned by system service.
Environment
VMware vSphere ESXi 8.0 U2b and later
Cause
- With ESXi 8.0 Update 2, some ESXi firewall rulesets, such as DHCP are system-owned by default and prevent manual adding of allowed IP addresses to avoid possible break of service.
- With ESXi 8.0 Update 2B, you can manually add allowed IP addresses to all rulesets, except for nfsClient, nfs41Client, trusted-infrastructure-kmxd, trusted-infrastructure-kmxa, and vsanEncryption.
Resolution
Although this is not possible through the vCenter web UI, the IP address can be added to the allowed list using the below steps:
- Add an IP entry using the below command:
# esxcli storage nfs firewall add -F <IP address>/8 - Confirm that the IP is added successfully using the below command:
# esxcli network firewall ruleset allowedip list | grep nfs nfsClient <IP address>/8 nfs41Client All - Validate the currently configured firewall rules for NFS:
# esxcli storage nfs firewall list Allowed IPMask: <IP address>/8
Additional Information
Feedback
Yes
No
Powered by
