ESXi Server has a built-in Firewall to protect your ESXi Server.
There are pre-defined services (source and destination TCP/UDP Port) that you can configure via vSphere Client or CLI, such as permitting or restricting SSH from specified IP Address or Network. These pre-defined services should be sufficient for most of environment.
However there may be a case that you wish to create a custom service, for example when you install a third-party plugin and it uses TCP/UDP that is not defined in the pre-defined list.
Create a custom service XML
- You can see the default Firewall Configuration of ESXi Firewall via vSphere Client or CLI. I will be using CLI to verify this setting.
~ # esxcli network firewall get
Default Action: DROP Enabled: true Loaded: true ~ #
- You can also verify which rulesets (pre-defined TCP/UDP service) are enabled. If the ruleset is not enabled, then service is blocked by Firewall.
~ # esxcli network firewall ruleset list
Name Enabled
------------------ -------
sshServer true
sshClient false
nfsClient false
dhcp true
dns true
snmp true
ntpClient true
CIMHttpServer true
CIMHttpsServer true
CIMSLP true
iSCSI true
vpxHeartbeats true
updateManager false
faultTolerance true
webAccess true
vMotion true
vSphereClient true
activeDirectoryAll false
NFC true
HBR true
ftpClient false
httpClient false
gdbserver false
DVFilter false
DHCPv6 true
DVSSync false
syslog true
IKED false
WOL true
vSPC false
remoteSerialPort false
vprobeServer false
fdm false
dynamicruleset true
- For enabled ruleset, you can verify that which IP Address(es) are allowed to access.
~ # esxcli network firewall ruleset allowedip list
Ruleset Allowed IP Addresses
------------------ --------------------
sshServer All
sshClient All
nfsClient All
dhcp All
dns All
snmp All
ntpClient All
CIMHttpServer All
CIMHttpsServer All
CIMSLP All
iSCSI All
vpxHeartbeats All
updateManager All
faultTolerance All
webAccess All
vMotion All
vSphereClient All
activeDirectoryAll All
NFC All
HBR All
ftpClient All
httpClient All
gdbserver All
DVFilter All
DHCPv6 All
DVSSync All
syslog All
IKED All
WOL All
vSPC All
remoteSerialPort All
vprobeServer All
fdm All
dynamicruleset All
- So where these rules are defined? These rules are defined by XML under /etc/vmware/fiewall directory of ESXi Server. As you can see from the below. service.xml is the one used by default. and fdm.xml is the one added after HA configuration in Cluster.
~ # ls /etc/vmware/firewall/
fdm.xml service.xml
- Let’s look at what is written in these file.
~ # cat /etc/vmware/firewall/fdm.xml
<!-- Firewall configuration information for FDM -->
<ConfigRoot>
<service>
<id>fdm</id>
<rule id='0000'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>8182</port>
</rule>
<rule id='0001'>
<direction>outbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>8182</port>
</rule>
<rule id='0002'>
<direction>inbound</direction>
<protocol>udp</protocol>
<porttype>dst</porttype>
<port>8182</port>
</rule>
<rule id='0003'>
<direction>outbound</direction>
<protocol>udp</protocol>
<porttype>dst</porttype>
<port>8182</port>
</rule>
<enabled>false</enabled>
<required>false</required>
</service>
</ConfigRoot>
~ #
- It is a XML file and is human readable. In fact, I found this XML file quite intuitive to understand. It has all familiar terms like, protocol, port and direction. So I will create a XML file for my custom service. You can use any text editor to make this XML file and then upload it to the /etc/vmware/firewall directory. My custom service is defined as TCP based protocol uses destination port number of 9999.
<!-- Firewall configuration information for My Custom TCP Service-->
<ConfigRoot> <service> <id>MyCustomService</id> <rule id='0000'> <direction>inbound</direction> <protocol>tcp</protocol> <porttype>dst</porttype> <port>9999</port> </rule> </service> </ConfigRoot> ~ #
- Once you copy/upload your XML file, verify that the XML file exist in the correct directory.
~ # ls -la /etc/vmware/firewall/
drwxr-xr-x 1 root root 512 Apr 9 21:12 .
drwxr-xr-x 1 root root 512 Apr 9 21:12 ..
-rw-r--r-- 1 root root 288 Apr 9 21:12 MyCustomService.xml
-r--r--r-- 1 root root 807 Aug 2 2012 fdm.xml
-r--r--r-- 1 root root 16731 Aug 2 2012 service.xml
- You will need to refresh ESXi Firewall to get the latest setting.
~ # esxcli network firewall refresh
- Run esxcli network firewall ruleset list command again. the custom ruleset is added on the list, but notice that the enable option is setup as false. As the default setting for ruleset are DROP.
~ # esxcli network firewall ruleset list | grep MyCustomService
MyCustomService false
- Enable the custom ruleset then verify that the ruleset is enabled.
~ # esxcli network firewall ruleset set -r MyCustomService -e true
~ # esxcli network firewall ruleset list | grep MyCustomService
MyCustomService true
- You can see the custom service from allowedip list, too.
~ # esxcli network firewall ruleset allowedip list | grep MyCustomService
MyCustomService All
- Finally loving via vSphere client and see if the custom service exists and is configured.