In ESXi 5.0, the firewall system has been completely revamped to provide the same functionality as the classic ESX Service Console esxcfg-firewall command. To access the firewall configurations, you can use the following esxcli namespace: esxcli network firewall. By default, there are set of predefined services that a user can enable or disable upon startup.
To list the default firewall rules, you can run the following command:
esxcli network firewall ruleset list
You can also create your own custom firewall rules/services, but unfortunately this has to go outside of the esxcli framework with a custom firewall rule configuration file. An example firewall rule can be viewed under /etc/vmware/firewall/ if you have FDM enabled and you should find a file called fdm.xml which looks a little something like this:
This XML configuration file describes the name of the firewall rule/service and also specifies the various ports, port type, protocol and direction of a given service.
In the following example, I will create a new firewall rule called "virtuallyGhetto" and it will have port 1337 using TCP for both inbound/outbound and port 20120 using UDP for both inbound/oubound. You will need to create a new XML file and specify a name which I have called /etc/vmware/firewall/virtuallyGhetto.xml
<ConfigRoot> <service> <id>virtuallyGhetto</id> <rule id='0000'> <direction>inbound</direction> <protocol>tcp</protocol> <porttype>dst</porttype> <port>1337</port> </rule> <rule id='0001'> <direction>outbound</direction> <protocol>tcp</protocol> <porttype>dst</porttype> <port>1337</port> </rule> <rule id='0002'> <direction>inbound</direction> <protocol>udp</protocol> <porttype>dst</porttype> <port>20201</port> </rule> <rule id='0003'> <direction>outbound</direction> <protocol>udp</protocol> <porttype>dst</porttype> <port>20201</port> </rule> <enabled>true</enabled> <required>false</required> </service> </ConfigRoot>
Next we will need to reload the firewall by performing a "refresh" operation and then list the rules again using the following command:
esxcli network firewall refresh
esxcli network firewall ruleset list
We can also verify that the individual rulesets for our new firewall rule/service by running the following command and grepping for the rule in question:
esxcli network firewall ruleset rule list | grep virtuallyGhetto
The new ESXi firewall also allows you to specify specific IP Address or IP ranges to access a particular service. In the following example I disable the "allow all" and specify a particular range for the virtuallyGhetto service using the following commands:
esxcli network firewall ruleset set --allowed-all false --ruleset-id=virtuallyGhetto
esxcli network firewall ruleset allowedip add --ip-address=172.30.0.0/24 --ruleset-id=virtuallyGhetto
The new firewall rules/services are also viewable under the host configuration section "Security Profile" using the vSphere Client:
As you can see it is pretty straight forward to add your own firewall rules and this can easily be incorporated into your kickstart builds.
UPDATE1: How to persist custom firewall rules in ESXi 5, take a look at these two articles here and here.
UPDATE2: Duncan Epping just posted an article on creating your own vibs which will persist firewall rules, definitely take a look as another option.
UPDATE3: You can now easily create persistent firewall rules and other files using the new VIB Author Fling, please take a look at this article here for some examples.
Carlos Martinez Rivas says
Excelente, gracias por la informacion
marco says
Tried but it does not survive at reboot.
Any idea?
Giuseppe says
I had the same behavior.
When I rebooted the server all the customs firewalls roles have been lost, although the xml files where present in the right directory.
I had to refresh firewall rules through the command:
esxcli network firewall refresh
and then it loaded all my custom rules.
Any idea how to fix this?
Thank you.
Giuseppe
arielsanchezmora says
I had the same problem. I can see my additional file is copied (in it's timestamp) - but for some reason the firewall refresh doesn't work. if i run the command, it works.
thinking it could be some kind of latency problemt, i put the copy before the if, and the refresh command after - and so far, so good, it works every time.
Andreas Peetz says
This comment has been removed by the author.
Andreas Peetz says
Very good information, but there is a typo in the fdm.xml example. The very first XML starting tag should read
), or the file will not be accepted.
(and not
- Andreas
William says
@Andreas
Thanks, I've fixed it. I initially had it right but blogger changed it when I was editing it in html view.
Anthony B. says
This comment has been removed by the author.
William says
@Anthony,
It's just a regular file, use "vi"
Anthony B. says
Ok tanks, now my new firewall rules is add to /etc/vmware/firewall/test.xml, how to active this rules. The rules is auto activate?
Thanks for your answers
duralexii says
I think, it may be activated by vSphereClient - relevant item is appeared in the settings.
but I have the additional question. A saw 'smtp thrue' string at the Firewall, but if I try 'nc relay 25' then 'nc: getaddrinfo: Name or service not known' is showd. What is?
Unknown says
I need to add port 7968 both incoming and outgoing. How can I do that in VShare 5.0. Sorry guys! I am new to VmWare.
Anonymous says
had this running on 5.0 but doesn't seem to work in 5.1
William says
@Anonymous
Take a look at this article using the new VIB Author Fling on how to create persistent firewall rules - http://www.virtuallyghetto.com/2012/09/creating-custom-vibs-for-esxi-50-51.html
Anonymous says
can we add firewall rules without doing a VIB on a 5.1?
William says
You can ... they just won't persist 😉
Mokkaritzen Kasanova says
Hey Folks,
i have createt succsessfully a firewall rule for SMTP but i cant get any emails... i set a smtp server, port 25 email from and email to but nothing happend no error or something else....
have anybody an idea?
Free Network Security says
A very good post ,I like it very much ,hope you will give another post asap Great info Thanks!
Lunchbox says
The code around the fdm.xml script appears broken. I came here for the GirtuallyGhetto.xml script, and that's missing. Any chance of a review of this article for link-rot and missing content?
William Lam says
fixed
clric0t0d0 says
>In the following example, I will create a new firewall rule called "virtuallyGhetto" and ...
You never showed the creation of this file. Did you create it by hand, using fdm.xml as a template?
Punit Solanki says
Hi,
I want to know what is the below option used for when we create a customer firewall rule :
false
false
Even if I set it to false, the firewall rule is selected in the GUI. Please help me understand what are these option used for ?
/etc/vmware/firewall/test.xml :
abed
inbound
tcp
dst
8182
outbound
udp
dst
8182
false
false
MColla says
There is any log for ESXi host firewall?
Like to see witch connection was accepted or rejected