Configuring the ESXi firewall in VMware vSphere 5

Configuring the ESXi firewall in VMware vSphere 5

VMware vSphere 5 features a new ESXi firewall that you can configure though the vSphere Client or command line. The addition brings a feature to ESXi 5 that was previously found only in the recently discontinued ESX hypervisor. VMware argued that ESXi didn't require a firewall, because the lightweight hypervisor had hardly any services or ports open, leaving it with almost nothing to attack.

I believe VMware added a firewall to ESXi 5 for few reasons. With a firewall, ESXi 5 isn't missing a notable feature found in the old ESX Server. Also, a firewall signals to customers and partners that VMware is committed to security. And finally, vSphere 5 is just as secure as before, if not more so.

    Requires Free Membership to View

    Login

    When you register, my team of editors will also send you alerts covering all areas of VMware, such as implementing VMware-related virtualization technologies for server consolidation, disaster recovery and backup strategies, management and performance, VM migration and more.

    Margie Semilof, Editorial Director

    By submitting your registration information to SearchVMware.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchVMware.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Five things to know about the ESXi 5 firewall
  1. It’s a stateless firewall based on ESXi services.
  2. It’s enabled by default.
  3. It sits between the ESXi host management interface and the management network on the local area network.
  4. It’s configurable through the vSphere Client. Go to Host Configuration > Software > Security Profile.
  5. It’s also configurable via the vSphere Management Assistance or directly to the ESXi server using the esxcli command. Or you can use PowerCLI.

Like the ESX Server firewall, the new ESXi firewall protects just the management interface and not the individual virtual machines. It's a service-oriented and stateless firewall, meaning that it doesn't keep track of the conversations on the network and it evaluates each packet that goes through. That said, the ESXi firewall features a different firewall engine that eliminates the use of iptables and rule sets that define port rules for services. For remote hosts, you can specify the IP addresses or range of IP addresses that are allowed to access each service. You can configure these parameters with the vSphere Client or command line.

Configuring the ESXi firewall with the vSphere Client
The ESXi 5 firewall is on by default, and sits between the ESXi server management interface and the network.

After you install the ESXi 5 firewall, it's configured to block incoming and outgoing traffic, except for the default TCP and UDP ports used for management access, such as SSH (22), DNS (53), DHCP (68). Note that ICMP (ping) port is enabled to each ESXi host by default.

You can view and edit this list of inbound and outbound TCP and UDP ports in the vSphere Client. Under Host Configuration, click on Software Security Profile. From here, select Properties and you'll see the screen below.

You will notice that the ESXi firewall is tied to the services on the host, which are processes that access the network. If a service is created and there is a checkbox next to it, the service's traffic can pass through the firewall.

You can also define the IP address or range of IP addresses that can access the ESXi host through defined ports. To do that, click on the Firewall button and enter the allowed IP addresses.

Configuring the ESXi firewall from the command line
To configure the host, you can use PowerCLI, the vSphere Management Assistant or the command line on the ESXi host. But first, you must enable Tech Support Mode and/or Remote Tech Support Mode on the ESXi host. After enabling Remote Tech Support Mode, for example, I connected to my ESXi 5 host via Secure Shell. The following files are critical for configuring the firewall:

  • Rule set configuration file: (/etc/vmware/firewall/service.xml) This file contains the default firewall rules, including ports and protocols.
  • Service configuration file: (/etc/vmware/services/service.xml) This file lists the default services and firewall rule groupings.

You can enable and disable rules as well as start and stop services from the vSphere Client, but you can add new firewall rules only from the command line.  You can add rules by adding new XML files in the /etc/vmware/firewall directory. Then, use the esxcli network firewall refresh command to enable the edits.

That command can also enable/disable the entire firewall, enable/disable rules, or add/remove specific IP addresses or ranges to firewall rules.

This was first published in July 2011

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top