In ESXi 5.0, the firewall system has been completely revamped to provide the same functionality as the classic ESX Service Console esxcfg-firewall command. To access the firewall configurations, you can use the following esxcli namespace: esxcli network firewall. By default, there are set of predefined services that a user can enable or disable upon startup.
To list the default firewall rules, you can run the following command:
esxcli network firewall ruleset list
You can also create your own custom firewall rules/services, but unfortunately this has to go outside of the esxcli framework with a custom firewall rule configuration file. An example firewall rule can be viewed under /etc/vmware/firewall/ if you have FDM enabled and you should find a file called fdm.xml which looks a little something like this:
This XML configuration file describes the name of the firewall rule/service and also specifies the various ports, port type, protocol and direction of a given service.
In the following example, I will create a new firewall rule called "virtuallyGhetto" and it will have port 1337 using TCP for both inbound/outbound and port 20120 using UDP for both inbound/oubound. You will need to create a new XML file and specify a name which I have called /etc/vmware/firewall/virtuallyGhetto.xml
<ConfigRoot>
<service>
<id>virtuallyGhetto</id>
<rule id='0000'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>1337</port>
</rule>
<rule id='0001'>
<direction>outbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>1337</port>
</rule>
<rule id='0002'>
<direction>inbound</direction>
<protocol>udp</protocol>
<porttype>dst</porttype>
<port>20201</port>
</rule>
<rule id='0003'>
<direction>outbound</direction>
<protocol>udp</protocol>
<porttype>dst</porttype>
<port>20201</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
</ConfigRoot>
Next we will need to reload the firewall by performing a "refresh" operation and then list the rules again using the following command:
esxcli network firewall refresh
esxcli network firewall ruleset list
We can also verify that the individual rulesets for our new firewall rule/service by running the following command and grepping for the rule in question:
esxcli network firewall ruleset rule list | grep virtuallyGhetto
The new ESXi firewall also allows you to specify specific IP Address or IP ranges to access a particular service. In the following example I disable the "allow all" and specify a particular range for the virtuallyGhetto service using the following commands:
esxcli network firewall ruleset set --allowed-all false --ruleset-id=virtuallyGhetto
esxcli network firewall ruleset allowedip add --ip-address=172.30.0.0/24 --ruleset-id=virtuallyGhetto
The new firewall rules/services are also viewable under the host configuration section "Security Profile" using the vSphere Client:
As you can see it is pretty straight forward to add your own firewall rules and this can easily be incorporated into your kickstart builds.
UPDATE1: How to persist custom firewall rules in ESXi 5, take a look at these two articles here and here.
UPDATE2: Duncan Epping just posted an article on creating your own vibs which will persist firewall rules, definitely take a look as another option.
UPDATE3: You can now easily create persistent firewall rules and other files using the new VIB Author Fling, please take a look at this article here for some examples.
Excelente, gracias por la informacion
Tried but it does not survive at reboot.
Any idea?
I had the same behavior.
When I rebooted the server all the customs firewalls roles have been lost, although the xml files where present in the right directory.
I had to refresh firewall rules through the command:
esxcli network firewall refresh
and then it loaded all my custom rules.
Any idea how to fix this?
Thank you.
Giuseppe
I had the same problem. I can see my additional file is copied (in it's timestamp) - but for some reason the firewall refresh doesn't work. if i run the command, it works.
thinking it could be some kind of latency problemt, i put the copy before the if, and the refresh command after - and so far, so good, it works every time.
This comment has been removed by the author.
Very good information, but there is a typo in the fdm.xml example. The very first XML starting tag should read
), or the file will not be accepted.
(and not
- Andreas
@Andreas
Thanks, I've fixed it. I initially had it right but blogger changed it when I was editing it in html view.
This comment has been removed by the author.
@Anthony,
It's just a regular file, use "vi"
Ok tanks, now my new firewall rules is add to /etc/vmware/firewall/test.xml, how to active this rules. The rules is auto activate?
Thanks for your answers
I think, it may be activated by vSphereClient - relevant item is appeared in the settings.
but I have the additional question. A saw 'smtp thrue' string at the Firewall, but if I try 'nc relay 25' then 'nc: getaddrinfo: Name or service not known' is showd. What is?
I need to add port 7968 both incoming and outgoing. How can I do that in VShare 5.0. Sorry guys! I am new to VmWare.
had this running on 5.0 but doesn't seem to work in 5.1
@Anonymous
Take a look at this article using the new VIB Author Fling on how to create persistent firewall rules - http://www.virtuallyghetto.com/2012/09/creating-custom-vibs-for-esxi-50-51.html
can we add firewall rules without doing a VIB on a 5.1?
You can ... they just won't persist 😉
Hey Folks,
i have createt succsessfully a firewall rule for SMTP but i cant get any emails... i set a smtp server, port 25 email from and email to but nothing happend no error or something else....
have anybody an idea?
A very good post ,I like it very much ,hope you will give another post asap Great info Thanks!
The code around the fdm.xml script appears broken. I came here for the GirtuallyGhetto.xml script, and that's missing. Any chance of a review of this article for link-rot and missing content?
fixed
>In the following example, I will create a new firewall rule called "virtuallyGhetto" and ...
You never showed the creation of this file. Did you create it by hand, using fdm.xml as a template?
Hi,
I want to know what is the below option used for when we create a customer firewall rule :
false
false
Even if I set it to false, the firewall rule is selected in the GUI. Please help me understand what are these option used for ?
/etc/vmware/firewall/test.xml :
abed
inbound
tcp
dst
8182
outbound
udp
dst
8182
false
false
There is any log for ESXi host firewall?
Like to see witch connection was accepted or rejected