WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Uncategorized / How to Create Custom Firewall Rules in ESXi 5.0

How to Create Custom Firewall Rules in ESXi 5.0

07.18.2011 by William Lam // 29 Comments

In ESXi 5.0, the firewall system has been completely revamped to provide the same functionality as the classic ESX Service Console esxcfg-firewall command. To access the firewall configurations, you can use the following esxcli namespace: esxcli network firewall. By default, there are set of predefined services that a user can enable or disable upon startup.

To list the default firewall rules, you can run the following command:  

esxcli network firewall ruleset list

You can also create your own custom firewall rules/services, but unfortunately this has to go outside of the esxcli framework with a custom firewall rule configuration file. An example firewall rule can be viewed under /etc/vmware/firewall/ if you have FDM enabled and you should find a file called fdm.xml which looks a little something like this:
This XML configuration file describes the name of the firewall rule/service and also specifies the various ports, port type, protocol and direction of a given service.

In the following example, I will create a new firewall rule called "virtuallyGhetto" and it will have port 1337 using TCP for both inbound/outbound and port 20120 using UDP for both inbound/oubound. You will need to create a new XML file and specify a name which I have called /etc/vmware/firewall/virtuallyGhetto.xml

<ConfigRoot>
  <service>
    <id>virtuallyGhetto</id>
    <rule id='0000'>
      <direction>inbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>1337</port>
    </rule>
    <rule id='0001'>
      <direction>outbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>1337</port>
    </rule>
    <rule id='0002'>
      <direction>inbound</direction>
      <protocol>udp</protocol>
      <porttype>dst</porttype>
      <port>20201</port>
    </rule>
    <rule id='0003'>
      <direction>outbound</direction>
      <protocol>udp</protocol>
      <porttype>dst</porttype>
      <port>20201</port>
    </rule>
    <enabled>true</enabled>
    <required>false</required>
  </service>
</ConfigRoot>

Next we will need to reload the firewall by performing a "refresh" operation and then list the rules again using the following command:  

esxcli network firewall refresh
esxcli network firewall ruleset list

We can also verify that the individual rulesets for our new firewall rule/service by running the following command and grepping for the rule in question:

esxcli network firewall ruleset rule list | grep virtuallyGhetto

The new ESXi firewall also allows you to specify specific IP Address or IP ranges to access a particular service. In the following example I disable the "allow all" and specify a particular range for the virtuallyGhetto service using the following commands:

esxcli network firewall ruleset set --allowed-all false --ruleset-id=virtuallyGhetto
esxcli network firewall ruleset allowedip add --ip-address=172.30.0.0/24 --ruleset-id=virtuallyGhetto

The new firewall rules/services are also viewable under the host configuration section "Security Profile" using the vSphere Client:

As you can see it is pretty straight forward to add your own firewall rules and this can easily be incorporated into your kickstart builds.

UPDATE1: How to persist custom firewall rules in ESXi 5, take a look at these two articles here and here.

UPDATE2: Duncan Epping just posted an article on creating your own vibs which will persist firewall rules, definitely take a look as another option.

UPDATE3: You can now easily create persistent firewall rules and other files using the new VIB Author Fling, please take a look at this article here for some examples.

More from my site

  • Running ESXi 5.0 & 5.1 on 2012 Mac Mini 6,2
  • Nested Virtualization Resources
  • That's so cool! Running ESXi 5.0 & 5.1 on Apple Mac Mini
  • vSphere Security Hardening Report Script for vSphere 5
  • How to Run Windows 8 Consumer Preview & Windows 8 Server on vSphere 5

Categories // Uncategorized Tags // ESXi 5.0, firewall, ruleset, vSphere 5.0

Comments

  1. *protectedCarlos Martinez Rivas says

    09/20/2011 at 8:44 pm

    Excelente, gracias por la informacion

    Reply
  2. *protectedmarco says

    01/19/2012 at 5:33 pm

    Tried but it does not survive at reboot.
    Any idea?

    Reply
    • *protectedGiuseppe says

      11/13/2012 at 3:55 am

      I had the same behavior.

      When I rebooted the server all the customs firewalls roles have been lost, although the xml files where present in the right directory.

      I had to refresh firewall rules through the command:

      esxcli network firewall refresh

      and then it loaded all my custom rules.

      Any idea how to fix this?

      Thank you.

      Giuseppe

      Reply
    • *protectedarielsanchezmora says

      02/08/2014 at 12:30 am

      I had the same problem. I can see my additional file is copied (in it's timestamp) - but for some reason the firewall refresh doesn't work. if i run the command, it works.

      thinking it could be some kind of latency problemt, i put the copy before the if, and the refresh command after - and so far, so good, it works every time.

      Reply
  3. *protectedAndreas Peetz says

    01/19/2012 at 9:44 pm

    This comment has been removed by the author.

    Reply
  4. *protectedAndreas Peetz says

    01/19/2012 at 9:46 pm

    Very good information, but there is a typo in the fdm.xml example. The very first XML starting tag should read

    (and not
    ), or the file will not be accepted.

    - Andreas

    Reply
  5. *protectedWilliam says

    01/21/2012 at 4:29 pm

    @Andreas

    Thanks, I've fixed it. I initially had it right but blogger changed it when I was editing it in html view.

    Reply
  6. *protectedAnthony B. says

    02/17/2012 at 4:02 pm

    This comment has been removed by the author.

    Reply
  7. *protectedWilliam says

    02/17/2012 at 4:04 pm

    @Anthony,

    It's just a regular file, use "vi"

    Reply
  8. *protectedAnthony B. says

    02/20/2012 at 10:31 am

    Ok tanks, now my new firewall rules is add to /etc/vmware/firewall/test.xml, how to active this rules. The rules is auto activate?

    Thanks for your answers

    Reply
  9. *protectedduralexii says

    05/16/2012 at 9:51 am

    I think, it may be activated by vSphereClient - relevant item is appeared in the settings.

    but I have the additional question. A saw 'smtp thrue' string at the Firewall, but if I try 'nc relay 25' then 'nc: getaddrinfo: Name or service not known' is showd. What is?

    Reply
  10. *protectedUnknown says

    06/28/2012 at 3:37 am

    I need to add port 7968 both incoming and outgoing. How can I do that in VShare 5.0. Sorry guys! I am new to VmWare.

    Reply
  11. *protectedAnonymous says

    10/01/2012 at 12:03 pm

    had this running on 5.0 but doesn't seem to work in 5.1

    Reply
    • *protectedWilliam says

      10/01/2012 at 3:14 pm

      @Anonymous

      Take a look at this article using the new VIB Author Fling on how to create persistent firewall rules - http://www.virtuallyghetto.com/2012/09/creating-custom-vibs-for-esxi-50-51.html

      Reply
    • *protectedAnonymous says

      12/14/2012 at 9:41 am

      can we add firewall rules without doing a VIB on a 5.1?

      Reply
    • *protectedWilliam says

      12/14/2012 at 9:57 pm

      You can ... they just won't persist 😉

      Reply
  12. *protectedMokkaritzen Kasanova says

    11/15/2012 at 2:28 pm

    Hey Folks,
    i have createt succsessfully a firewall rule for SMTP but i cant get any emails... i set a smtp server, port 25 email from and email to but nothing happend no error or something else....

    have anybody an idea?

    Reply
  13. *protectedFree Network Security says

    04/27/2013 at 6:44 am

    A very good post ,I like it very much ,hope you will give another post asap Great info Thanks!

    Reply
  14. *protectedLunchbox says

    07/06/2013 at 2:33 am

    The code around the fdm.xml script appears broken. I came here for the GirtuallyGhetto.xml script, and that's missing. Any chance of a review of this article for link-rot and missing content?

    Reply
    • *protectedWilliam Lam says

      07/06/2013 at 3:15 am

      fixed

      Reply
  15. *protectedclric0t0d0 says

    11/20/2013 at 8:00 pm

    >In the following example, I will create a new firewall rule called "virtuallyGhetto" and ...

    You never showed the creation of this file. Did you create it by hand, using fdm.xml as a template?

    Reply
  16. *protectedPunit Solanki says

    05/05/2014 at 7:10 pm

    Hi,

    I want to know what is the below option used for when we create a customer firewall rule :

    false
    false

    Even if I set it to false, the firewall rule is selected in the GUI. Please help me understand what are these option used for ?

    /etc/vmware/firewall/test.xml :

    abed

    inbound
    tcp
    dst
    8182

    outbound
    udp
    dst
    8182

    false
    false

    Reply
  17. *protectedMColla says

    03/07/2023 at 10:12 am

    There is any log for ESXi host firewall?
    Like to see witch connection was accepted or rejected

    Reply

Trackbacks

  1. How to Persist Configuration Changes in ESXi 4.x/5.x Part 1 | virtuallyGhetto says:
    03/02/2014 at 7:43 pm

    […] or through a one time manual configuration. I will provide some examples including persisting custom firewall rules in ESXi 5, so stay […]

    Reply
  2. Automating ESXi 5 Kickstart Tips & Tricks | virtuallyGhetto says:
    03/02/2014 at 7:44 pm

    […] To create custom firewall rules, take a look at the blog post here.  […]

    Reply
  3. Exportar syslog de ESXi 5.x a Splunk Storm | Infragig says:
    07/21/2014 at 3:41 am

    […] http://www.virtuallyghetto.com/2011/07/how-to-create-custom-firewall-rules-in.html […]

    Reply
  4. Manually installing a (persistent) Firewall Rule to allow IPFIX on the ESX Host says:
    08/25/2016 at 1:11 pm

    […] I decided to add it in myself. So I used google again and I stumbled onto this and this […]

    Reply
  5. Custom script bundle is now possible with Auto Deploy in vSphere 6.5 | virtuallyGhetto says:
    11/23/2016 at 9:52 am

    […] rule for example. For these cases, you either had to either hack it up using a method like this or to create a custom ESXi VIB which would then force customers to lower their ESXi's software […]

    Reply
  6. Why am I seeing HTTP communication status 404 error when configuring vSphere with Tanzu & how to fix? says:
    11/16/2020 at 4:32 pm

    […] our ESXi host to allow for outbound connectivity to 5480. To do that, I had to use one of my older blog articles back in 2011 on how to create a custom ESXi firewall rule, since 5480 was not one of the default ports that is available for […]

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025