VMware vSphere 5 features a new ESXi firewall that you can configure though the vSphere Client or command line. The addition brings a feature to ESXi 5 that was previously found only in the recently discontinued ESX hypervisor. VMware argued that ESXi didn't require a firewall, because the lightweight hypervisor had hardly any services or ports open, leaving it with almost nothing to attack.
I believe VMware added a firewall to ESXi 5 for few reasons. With a firewall, ESXi 5 isn't missing a notable feature found in the old ESX Server. Also, a firewall signals to customers and partners that VMware is committed to security. And finally, vSphere 5 is just as secure as before, if not more so.
Like the ESX Server firewall, the new ESXi firewall protects just the management interface and not the individual virtual machines. It's a service-oriented and stateless firewall, meaning that it doesn't keep track of the conversations on the network and it evaluates each packet that goes through. That said, the ESXi firewall features a different firewall engine that eliminates the use of iptables and rule sets that define port rules for services. For remote hosts, you can specify the IP addresses or range of IP addresses that are allowed to access each service. You can configure these parameters with the vSphere Client or command line.
Configuring the ESXi firewall with the vSphere Client
The ESXi 5 firewall is on by default, and sits between the ESXi server management interface and the network.
After you install the ESXi 5 firewall, it's configured to block incoming and outgoing traffic, except for the default TCP and UDP ports used for management access, such as SSH (22), DNS (53), DHCP (68). Note that ICMP (ping) port is enabled to each ESXi host by default.
You can view and edit this list of inbound and outbound TCP and UDP ports in the vSphere Client. Under Host Configuration, click on Software Security Profile. From here, select Properties and you'll see the screen below.
You will notice that the ESXi firewall is tied to the services on the host, which are processes that access the network. If a service is created and there is a checkbox next to it, the service's traffic can pass through the firewall.
You can also define the IP address or range of IP addresses that can access the ESXi host through defined ports. To do that, click on the Firewall button and enter the allowed IP addresses.
Configuring the ESXi firewall from the command line
To configure the host, you can use PowerCLI, the vSphere Management Assistant or the command line on the ESXi host. But first, you must enable Tech Support Mode and/or Remote Tech Support Mode on the ESXi host. After enabling Remote Tech Support Mode, for example, I connected to my ESXi 5 host via Secure Shell. The following files are critical for configuring the firewall:
- Rule set configuration file: (/etc/vmware/firewall/service.xml) This file contains the default firewall rules, including ports and protocols.
- Service configuration file: (/etc/vmware/services/service.xml) This file lists the default services and firewall rule groupings.
You can enable and disable rules as well as start and stop services from the vSphere Client, but you can add new firewall rules only from the command line. You can add rules by adding new XML files in the /etc/vmware/firewall directory. Then, use the esxcli network firewall refresh command to enable the edits.
That command can also enable/disable the entire firewall, enable/disable rules, or add/remove specific IP addresses or ranges to firewall rules.
Five things to know about the ESXi 5 firewall
- It’s a stateless firewall based on ESXi services.
- It’s enabled by default.
- It sits between the ESXi host management interface and the management network on the local area network.
- It’s configurable through the vSphere Client. Go to Host Configuration > Software > Security Profile.
- It’s also configurable via the vSphere Management Assistance or directly to the ESXi server using the esxcli command. Or you can use PowerCLI.