WilliamLam.com

firewall

Quick Tip - List all open ports on the VCSA / PSC

by Leave a Comment

The list of required ports for both a vCenter Server Appliance (VCSA) and Platform Services Controller (PSC) are pretty well documented here (6.5), here (6.0) and here (5.5) for customers who require this information to setup external connectivity within their networking infrastructure. Having said that, it is may not always be clear on what ports are actually opened as they will usually depend on the type of deployment and the services that are running. Instead, some customers have inquired about getting a list of all open ports directly from the VCSA/PSC to ensure they have the actual configuration which can be used to build firewall rules and/or for auditing purposes.

Today, the only method is to login directly into the VCSA/PSC via SSH (you could also use GuestOps API, so that SSH is NOT required) and fetching this information using iptables. Hopefully, in the future, this can be made available as part of the VAMI API since it already covers some basic inbound firewall rule capabilities. In the mean time, below are examples of how to get all the open ports for both VCSA/PSC

Run the following command to view all open ports on VCSA/PSC:

iptables -L port_filter -n --line-numbers


You will notice in the output above, there is also a chain number on the far left side which is associated with each rule. This chain number can be used to inspect the rule further and some rules include a nice alias to help you identify what the port might be used for.

For example, we can run the following to inspect chain rule #30 and find out this port is being used for syslog. If we want the port number, we simply add the -n option.

iptables -L port_filter 30
iptables -L port_filter 30 -n


Not all of the firewall rules have an alias name and even if they do, it still may not be apparent on what service is opening that particular port. We can actually look at the firewall rule definitions which are located under /etc/vmware/appliance/firewall and you will see a JSON file for each of the VCSA/PSC services that require firewall rules to be opened up. For a given port, you can just grep in this directory to identify the service that is requiring the port.

For example, if we take a look at the vmware-syslog, we see that it requires tcp/udp 514 and tcp 1514 under the "rules" array which defines the list of external ports open. You can ignore the internal ports as those are not exposed to the outside world but used by internal services. In case the services are still not clear, you can always reference the port number back to the documentation which I had linked above to get more details about the particular port.

A Pretty Cool Method of Upgrading to ESXi 5.1

by 40 Comments

I recently came across an interesting article by Andreas Peetz which shows you how to patch an ESXi host using an image profile that is directly available on VMware's online depot within the ESXi shell. I knew that VMware had online depots for use with VUM and Auto Deploy but I was not aware of this particular method, especially directly from the host.

Disclaimer: This method assumes you can install the default ESXi Image Profile with no additional drivers or packages, else you may have connectivity issue after the upgrade. If you still need to customize the ESXi Image Profile before installation, you will still need to use something like Image Builder and then upload that to your online depot.

Note: There are many ways that you can patch/upgrade your ESXi hosts, here is another article that provides more details for command-line only methods.

Before you get started, you will need to make sure that your ESXi host has the httpClient firewall rule enabled, else you will not be able to connect to VMware's online depot. To enable this, run the following ESXCLI command:

esxcli network firewall ruleset set -e true -r httpClient

Also make sure that your ESXi host can reach the following URL (you can specify a proxy if needed):

https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

To view the available ESXi Image Profiles, run the following ESXCLI command (use the --proxy if you need to specify a proxy to reach VMware's online depot):

esxcli software sources profile list -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

If you are able to successfully connect to the online depot, you see a list of all the ESXi Image Profiles that are available to you. You will see two ESXi 5.1 Image Profiles (these were recently published), one with VMware Tools and one without VMware Tools.

Note: Before you begin, make sure you do not have any running VMs and put your host into maintenance mode.

Let's go ahead and upgrade our ESXi 5.0 Update 1 host to latest ESXi 5.1. To install the new Image Profile, run the following command:

esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-5.1.0-799733-standard

This can take a few minutes to complete depending on how fast you can pull down the Image Profile. Once it is done, you will see all the new VIBs that have been updated and you will be asked to reboot for the changes to go into effect and then you will be running ESXi 5.1! Pretty cool IMO!

Using a VNC Client to Connect to VMs in ESXi 5

by 10 Comments

The ability to connect to a virtual machine using a VNC client has been available since the early days of VMware GSX as described by this VMware KB article. The required .vmx configuration can also be applied to virtual machines running on ESX(i), but is not officially supported by VMware. With ESXi 5, this continues to work but there is one additional caveat users should to be aware of, which is the new firewall that has been introduced in ESXi 5.

In addition to the three .vmx configurations:

  • RemoteDisplay.vnc.enabled = [true|false]
  • RemoteDisplay.vnc.port = [port #]
  • RemoteDisplay.vnc.password = [optional]

Users need to also enable the ports selected for each virtual machine on the ESXi firewall. Here is an example of a firewall rule that needs to be created:

Take a look at this blog post for details on configuring custom firewall rules including persisting the custom rules upon a system reboot.

Here are a few screenshots of configuring the .vmx configurations and using a VNC client to connect to the powered on virtual machine.

Only the first two .vmx configurations are required, if you do not set a password, anyone can connect to the virtual machine as long as they know the hostname/IP Address of your ESX(i) host and port.

To connect to a specific virtual machine, you will specify the hostname/IP Address of the ESX(i) host and port for the given virtual machine. If you set a password, you will need to also provide that before you can connect.

Please be aware of the limitations and security concerns of using VNC. VMware Remote Console or standard RDP/SSH should still be considered for virtual machine remote access.

How to Create Custom Firewall Rules in ESXi 5.0

by 28 Comments

In ESXi 5.0, the firewall system has been completely revamped to provide the same functionality as the classic ESX Service Console esxcfg-firewall command. To access the firewall configurations, you can use the following esxcli namespace: esxcli network firewall. By default, there are set of predefined services that a user can enable or disable upon startup.

To list the default firewall rules, you can run the following command:  

esxcli network firewall ruleset list

You can also create your own custom firewall rules/services, but unfortunately this has to go outside of the esxcli framework with a custom firewall rule configuration file. An example firewall rule can be viewed under /etc/vmware/firewall/ if you have FDM enabled and you should find a file called fdm.xml which looks a little something like this:
This XML configuration file describes the name of the firewall rule/service and also specifies the various ports, port type, protocol and direction of a given service.

In the following example, I will create a new firewall rule called "virtuallyGhetto" and it will have port 1337 using TCP for both inbound/outbound and port 20120 using UDP for both inbound/oubound. You will need to create a new XML file and specify a name which I have called /etc/vmware/firewall/virtuallyGhetto.xml

Next we will need to reload the firewall by performing a "refresh" operation and then list the rules again using the following command:  

esxcli network firewall refresh
esxcli network firewall ruleset list

We can also verify that the individual rulesets for our new firewall rule/service by running the following command and grepping for the rule in question:

esxcli network firewall ruleset rule list | grep virtuallyGhetto

The new ESXi firewall also allows you to specify specific IP Address or IP ranges to access a particular service. In the following example I disable the "allow all" and specify a particular range for the virtuallyGhetto service using the following commands:

esxcli network firewall ruleset set --allowed-all false --ruleset-id=virtuallyGhetto
esxcli network firewall ruleset allowedip add --ip-address=172.30.0.0/24 --ruleset-id=virtuallyGhetto

The new firewall rules/services are also viewable under the host configuration section "Security Profile" using the vSphere Client:

As you can see it is pretty straight forward to add your own firewall rules and this can easily be incorporated into your kickstart builds.

UPDATE1: How to persist custom firewall rules in ESXi 5, take a look at these two articles here and here.

UPDATE2: Duncan Epping just posted an article on creating your own vibs which will persist firewall rules, definitely take a look as another option.

UPDATE3: You can now easily create persistent firewall rules and other files using the new VIB Author Fling, please take a look at this article here for some examples.