WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud
  • Tanzu
    • Application Modernization
    • Tanzu services
    • Tanzu Community Edition
    • Tanzu Kubernetes Grid
    • vSphere with Tanzu
  • Home Lab
  • Nested Virtualization
  • Apple
You are here: Home / Uncategorized / How to Create Custom Firewall Rules in ESXi 5.0

How to Create Custom Firewall Rules in ESXi 5.0

07.18.2011 by William Lam // 29 Comments

In ESXi 5.0, the firewall system has been completely revamped to provide the same functionality as the classic ESX Service Console esxcfg-firewall command. To access the firewall configurations, you can use the following esxcli namespace: esxcli network firewall. By default, there are set of predefined services that a user can enable or disable upon startup.

To list the default firewall rules, you can run the following command:  

esxcli network firewall ruleset list

You can also create your own custom firewall rules/services, but unfortunately this has to go outside of the esxcli framework with a custom firewall rule configuration file. An example firewall rule can be viewed under /etc/vmware/firewall/ if you have FDM enabled and you should find a file called fdm.xml which looks a little something like this:
This XML configuration file describes the name of the firewall rule/service and also specifies the various ports, port type, protocol and direction of a given service.

In the following example, I will create a new firewall rule called "virtuallyGhetto" and it will have port 1337 using TCP for both inbound/outbound and port 20120 using UDP for both inbound/oubound. You will need to create a new XML file and specify a name which I have called /etc/vmware/firewall/virtuallyGhetto.xml

<ConfigRoot>
  <service>
    <id>virtuallyGhetto</id>
    <rule id='0000'>
      <direction>inbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>1337</port>
    </rule>
    <rule id='0001'>
      <direction>outbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>1337</port>
    </rule>
    <rule id='0002'>
      <direction>inbound</direction>
      <protocol>udp</protocol>
      <porttype>dst</porttype>
      <port>20201</port>
    </rule>
    <rule id='0003'>
      <direction>outbound</direction>
      <protocol>udp</protocol>
      <porttype>dst</porttype>
      <port>20201</port>
    </rule>
    <enabled>true</enabled>
    <required>false</required>
  </service>
</ConfigRoot>

Next we will need to reload the firewall by performing a "refresh" operation and then list the rules again using the following command:  

esxcli network firewall refresh
esxcli network firewall ruleset list

We can also verify that the individual rulesets for our new firewall rule/service by running the following command and grepping for the rule in question:

esxcli network firewall ruleset rule list | grep virtuallyGhetto

The new ESXi firewall also allows you to specify specific IP Address or IP ranges to access a particular service. In the following example I disable the "allow all" and specify a particular range for the virtuallyGhetto service using the following commands:

esxcli network firewall ruleset set --allowed-all false --ruleset-id=virtuallyGhetto
esxcli network firewall ruleset allowedip add --ip-address=172.30.0.0/24 --ruleset-id=virtuallyGhetto

The new firewall rules/services are also viewable under the host configuration section "Security Profile" using the vSphere Client:

As you can see it is pretty straight forward to add your own firewall rules and this can easily be incorporated into your kickstart builds.

UPDATE1: How to persist custom firewall rules in ESXi 5, take a look at these two articles here and here.

UPDATE2: Duncan Epping just posted an article on creating your own vibs which will persist firewall rules, definitely take a look as another option.

UPDATE3: You can now easily create persistent firewall rules and other files using the new VIB Author Fling, please take a look at this article here for some examples.

More from my site

  • Running ESXi 5.0 & 5.1 on 2012 Mac Mini 6,2
  • That's so cool! Running ESXi 5.0 & 5.1 on Apple Mac Mini
  • vSphere Security Hardening Report Script for vSphere 5
  • How to Run Windows 8 Consumer Preview & Windows 8 Server on vSphere 5
  • How to Configure Nested ESXi 5 to Support EVC Clusters

Categories // Uncategorized Tags // esxi5, firewall, ruleset, vSphere 5.0

Comments

  1. Carlos Martinez Rivas says

    09/20/2011 at 8:44 pm

    Excelente, gracias por la informacion

    Reply
  2. marco says

    01/19/2012 at 5:33 pm

    Tried but it does not survive at reboot.
    Any idea?

    Reply
    • Giuseppe says

      11/13/2012 at 3:55 am

      I had the same behavior.

      When I rebooted the server all the customs firewalls roles have been lost, although the xml files where present in the right directory.

      I had to refresh firewall rules through the command:

      esxcli network firewall refresh

      and then it loaded all my custom rules.

      Any idea how to fix this?

      Thank you.

      Giuseppe

      Reply
    • arielsanchezmora says

      02/08/2014 at 12:30 am

      I had the same problem. I can see my additional file is copied (in it's timestamp) - but for some reason the firewall refresh doesn't work. if i run the command, it works.

      thinking it could be some kind of latency problemt, i put the copy before the if, and the refresh command after - and so far, so good, it works every time.

      Reply
  3. Andreas Peetz says

    01/19/2012 at 9:44 pm

    This comment has been removed by the author.

    Reply
  4. Andreas Peetz says

    01/19/2012 at 9:46 pm

    Very good information, but there is a typo in the fdm.xml example. The very first XML starting tag should read

    (and not
    ), or the file will not be accepted.

    - Andreas

    Reply
  5. William says

    01/21/2012 at 4:29 pm

    @Andreas

    Thanks, I've fixed it. I initially had it right but blogger changed it when I was editing it in html view.

    Reply
  6. Anthony B. says

    02/17/2012 at 4:02 pm

    This comment has been removed by the author.

    Reply
  7. William says

    02/17/2012 at 4:04 pm

    @Anthony,

    It's just a regular file, use "vi"

    Reply
  8. Anthony B. says

    02/20/2012 at 10:31 am

    Ok tanks, now my new firewall rules is add to /etc/vmware/firewall/test.xml, how to active this rules. The rules is auto activate?

    Thanks for your answers

    Reply
  9. duralexii says

    05/16/2012 at 9:51 am

    I think, it may be activated by vSphereClient - relevant item is appeared in the settings.

    but I have the additional question. A saw 'smtp thrue' string at the Firewall, but if I try 'nc relay 25' then 'nc: getaddrinfo: Name or service not known' is showd. What is?

    Reply
  10. Unknown says

    06/28/2012 at 3:37 am

    I need to add port 7968 both incoming and outgoing. How can I do that in VShare 5.0. Sorry guys! I am new to VmWare.

    Reply
  11. Anonymous says

    10/01/2012 at 12:03 pm

    had this running on 5.0 but doesn't seem to work in 5.1

    Reply
    • William says

      10/01/2012 at 3:14 pm

      @Anonymous

      Take a look at this article using the new VIB Author Fling on how to create persistent firewall rules - http://www.virtuallyghetto.com/2012/09/creating-custom-vibs-for-esxi-50-51.html

      Reply
    • Anonymous says

      12/14/2012 at 9:41 am

      can we add firewall rules without doing a VIB on a 5.1?

      Reply
    • William says

      12/14/2012 at 9:57 pm

      You can ... they just won't persist 😉

      Reply
  12. Mokkaritzen Kasanova says

    11/15/2012 at 2:28 pm

    Hey Folks,
    i have createt succsessfully a firewall rule for SMTP but i cant get any emails... i set a smtp server, port 25 email from and email to but nothing happend no error or something else....

    have anybody an idea?

    Reply
  13. Free Network Security says

    04/27/2013 at 6:44 am

    A very good post ,I like it very much ,hope you will give another post asap Great info Thanks!

    Reply
  14. Lunchbox says

    07/06/2013 at 2:33 am

    The code around the fdm.xml script appears broken. I came here for the GirtuallyGhetto.xml script, and that's missing. Any chance of a review of this article for link-rot and missing content?

    Reply
    • William Lam says

      07/06/2013 at 3:15 am

      fixed

      Reply
  15. clric0t0d0 says

    11/20/2013 at 8:00 pm

    >In the following example, I will create a new firewall rule called "virtuallyGhetto" and ...

    You never showed the creation of this file. Did you create it by hand, using fdm.xml as a template?

    Reply
  16. Punit Solanki says

    05/05/2014 at 7:10 pm

    Hi,

    I want to know what is the below option used for when we create a customer firewall rule :

    false
    false

    Even if I set it to false, the firewall rule is selected in the GUI. Please help me understand what are these option used for ?

    /etc/vmware/firewall/test.xml :

    abed

    inbound
    tcp
    dst
    8182

    outbound
    udp
    dst
    8182

    false
    false

    Reply
  17. MColla says

    03/07/2023 at 10:12 am

    There is any log for ESXi host firewall?
    Like to see witch connection was accepted or rejected

    Reply

Trackbacks

  1. How to Persist Configuration Changes in ESXi 4.x/5.x Part 1 | virtuallyGhetto says:
    03/02/2014 at 7:43 pm

    […] or through a one time manual configuration. I will provide some examples including persisting custom firewall rules in ESXi 5, so stay […]

    Reply
  2. Automating ESXi 5 Kickstart Tips & Tricks | virtuallyGhetto says:
    03/02/2014 at 7:44 pm

    […] To create custom firewall rules, take a look at the blog post here.  […]

    Reply
  3. Exportar syslog de ESXi 5.x a Splunk Storm | Infragig says:
    07/21/2014 at 3:41 am

    […] http://www.virtuallyghetto.com/2011/07/how-to-create-custom-firewall-rules-in.html […]

    Reply
  4. Manually installing a (persistent) Firewall Rule to allow IPFIX on the ESX Host says:
    08/25/2016 at 1:11 pm

    […] I decided to add it in myself. So I used google again and I stumbled onto this and this […]

    Reply
  5. Custom script bundle is now possible with Auto Deploy in vSphere 6.5 | virtuallyGhetto says:
    11/23/2016 at 9:52 am

    […] rule for example. For these cases, you either had to either hack it up using a method like this or to create a custom ESXi VIB which would then force customers to lower their ESXi's software […]

    Reply
  6. Why am I seeing HTTP communication status 404 error when configuring vSphere with Tanzu & how to fix? says:
    11/16/2020 at 4:32 pm

    […] our ESXi host to allow for outbound connectivity to 5480. To do that, I had to use one of my older blog articles back in 2011 on how to create a custom ESXi firewall rule, since 5480 was not one of the default ports that is available for […]

    Reply

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Infrastructure Business Group (CIBG) at VMware. He focuses on Cloud Native technologies, Automation, Integration and Operation for the VMware Cloud based Software Defined Datacenters (SDDC)

Connect

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Recent

  • Self-Contained & Automated VMware Cloud Foundation (VCF) deployment using new VLC Holodeck Toolkit 03/29/2023
  • ESXi configstorecli enhancement in vSphere 8.0 Update 1 03/28/2023
  • ESXi on Intel NUC 13 Pro (Arena Canyon) 03/27/2023
  • Quick Tip - Enabling ESXi Coredumps to be stored on USB 03/26/2023
  • How to disable the Efficiency Cores (E-cores) on an Intel NUC? 03/24/2023

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2023