By default, there is a set of predefined firewall rules that can be enabled/disabled for the ESXi host from the vSphere Client.
These firewall services can be enabled/disabled for the defined ports (UDP/TCP) from the vSphere Client. However, if you need to enable the service on a protocol that is not defined, you must create new firewall rules from the command line.
For example, the DNS Client service can be enabled/disabled only on UDP port 53.
To enable DNS for TCP:
Note: On the vSphere Client, the DNS service is open on port 53 for UDP only.
To enable the DNS service on port 53 for TCP:
/etc/vmware/firewall/service.xml
file by running the command:service.xml
file to allow writes by running the chmod
command:
To allow writes:
To toggle the sticky bit flag:
# chmod +t /etc/vmware/firewall/service.xml
service.xml
file in a text editor.service.xml
file:
<service id="0032">
<id>DNSTCPOut</id>
<rule id='0000'>
<direction>outbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>53</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
Rule set configuration file example:
<ConfigRoot>
<service id='0000'>
<id>serviceName</id>
<rule id = '0000'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>80</port>
</rule>
<rule id='0001'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>src</porttype>
<port>
<begin>1020</begin>
<end>1050</end>
</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
</ConfigRoot>
For more information, see the Rule Set Configuration Files section of the vSphere 5.0 Security Guide.
service.xml
file to the read-only default by running the command:
# chmod 444 /etc/vmware/firewall/service.xml
# esxcli network firewall refresh
or
# localcli network firewall refresh
Note: This setting does not persist after a reboot. To make it persist, see Changing the port used by SSH on an ESXi 5.0 host (2011818).
# esxcli network firewall ruleset list
Name Enabled
-------------- -----------------
sshServer true
sshClient false
nfsClient true
dhcp true
dns true
snmp true
ntpClient false
CIMHttpServer true
CIMHttpsServer true
CIMSLP true
iSCSI true
DNSTCPOut true
Notes:
DNSTCPOut
firewall rule allows outgoing connections on TCP port 53. New firewall rules and services are also viewable under the Host Configuration section in Security Profile using the vSphere Client.Wmware KB