Tip

Configuring the ESXi firewall in VMware vSphere 5

VMware vSphere 5 features a new ESXi firewall that you can configure though the vSphere Client or command line. The addition brings a feature to ESXi 5 that was previously found only in the recently discontinued

    Requires Free Membership to View

ESX hypervisor. VMware argued that ESXi didn't require a firewall, because the lightweight hypervisor had hardly any services or ports open, leaving it with almost nothing to attack.

I believe VMware added a firewall to ESXi 5 for few reasons. With a firewall, ESXi 5 isn't missing a notable feature found in the old ESX Server. Also, a firewall signals to customers and partners that VMware is committed to security. And finally, vSphere 5 is just as secure as before, if not more so.

Like the ESX Server firewall, the new ESXi firewall protects just the management interface and not the individual virtual machines. It's a service-oriented and stateless firewall, meaning that it doesn't keep track of the conversations on the network and it evaluates each packet that goes through. That said, the ESXi firewall features a different firewall engine that eliminates the use of iptables and rule sets that define port rules for services. For remote hosts, you can specify the IP addresses or range of IP addresses that are allowed to access each service. You can configure these parameters with the vSphere Client or command line.

Configuring the ESXi firewall with the vSphere Client

The ESXi 5 firewall is on by default, and sits between the ESXi server management interface and the network.

After you install the ESXi 5 firewall, it's configured to block incoming and outgoing traffic, except for the default TCP and UDP ports used for management access, such as SSH (22), DNS (53), DHCP (68). Note that ICMP (ping) port is enabled to each ESXi host by default.

You can view and edit this list of inbound and outbound TCP and UDP ports in the vSphere Client. Under Host Configuration, click on Software Security Profile. From here, select Properties and you'll see the screen below.

You will notice that the ESXi firewall is tied to the services on the host, which are processes that access the network. If a service is created and there is a checkbox next to it, the service's traffic can pass through the firewall.

You can also define the IP address or range of IP addresses that can access the ESXi host through defined ports. To do that, click on the Firewall button and enter the allowed IP addresses.

Configuring the ESXi firewall from the command line

To configure the host, you can use PowerCLI, the vSphere Management Assistant or the command line on the ESXi host. But first, you must enable Tech Support Mode and/or Remote Tech Support Mode on the ESXi host. After enabling Remote Tech Support Mode, for example, I connected to my ESXi 5 host via Secure Shell. The following files are critical for configuring the firewall:

  • Rule set configuration file: (/etc/vmware/firewall/service.xml) This file contains the default firewall rules, including ports and protocols.
  • Service configuration file: (/etc/vmware/services/service.xml) This file lists the default services and firewall rule groupings.

You can enable and disable rules as well as start and stop services from the vSphere Client, but you can add new firewall rules only from the command line.  You can add rules by adding new XML files in the /etc/vmware/firewall directory. Then, use the esxcli network firewall refresh command to enable the edits.

That command can also enable/disable the entire firewall, enable/disable rules, or add/remove specific IP addresses or ranges to firewall rules.

This was first published in July 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.