If you run a VMware server you'll run into situations where you'll want to manually tweak a firewall setting. This excerpt from Troy & Helmke's VMware cookbook will show you how to open and close firewall ports via the console.
Although vCenter has an option called Security Profile that can help you maintain a large number of preset firewalls, you may encounter situations where you will need to maintain a custom rule specific to an application you wish to run.
ESX has a great tool called esxcfg-firewall that allows you to maintain your firewall from the command line.
Before we get started, let’s take a look at some of the configuration options the esxcfg-firewall command offers:
[root@esx6cluster2 log]# esxcfg-firewall -h esxcfg-firewall
-q|--query Lists current settings. -q|--query Lists setting for the specified service. -q|--query incoming|outgoing Lists setting for non-required incoming/outgoing ports. -s|--services Lists known services. -l|--load Loads current settings. -r|--resetDefaults Resets all options to defaults -e|--enableService Allows specified service through the firewall. -d|--disableService Blocks specified service -o|--openPort Opens a port. -c|--closePort Closes a port previously opened via --openPort. --blockIncoming Block all non-required incoming ports (default value). --blockOutgoing Block all non-required outgoing ports (default value). --allowIncoming Allow all incoming ports. --allowOutgoing Allow all outgoing ports. -h|--help Show this message.
Different levels of security—low, medium, and high—can be applied to the ESX firewall. The default setting is high, blocking all inbound traffic and allowing outbound communication only over ports 80, 443, 902, 427, 5988, 5989, 111, 2049, 27000–27010, and 22. These ports provide the basic foundation for the ESX Server to communicate over the network. You can verify your firewall security settings by running the following commands:
esxcfg-firewall -q incoming esxcfg-firewall -q outgoing
Depending on the results of these commands, you can verify your ESX host’s security level by using Table 6-1 as a reference.
Depending on the situation or your environment, you may wish to change the default security policy on your ESX hosts. It’s recommended that you leave the security level set to its default and that you only open specific ports, but if you want to change the security level you can do so with the following commands:
esxcfg-firewall --allowIncoming --allowOutgoing
To set the security level to medium:
esxcfg-firewall --blockIncoming --allowOutgoing
To set the security level to high:
esxcfg-firewall --blockIncoming -blockOutgoing
service mgmt-vmware restart
Other helpful commands to view your firewall ruleset are:
To display all the firewall settings, inbound and outbound:
To display known ESX Server firewall services by name:
Example output looks like this:
activeDirectorKerberos caARCserve CIMHttpServer CIMHttpsServer CIMSLP commvaultDynamic commvaultStatic ftpClient ftpServer kerberos LDAP LDAPS legatoNetWorker LicenseClient nfsClient nisClient ntpClient smbClient snmpd sshClient sshServer swISCSIClient symantecBackupExec symantecNetBackup telnetClient TSM updateManager VCB vncServer vpxHeartbeats
esxcfg-firewall -o port,protocol,direction,service_name
where port specifies the application ports, protocol is either tcp or udp, direction is either in or out, and service_name is the firewall service name (see Table 6-2).
esxcfg-firewall -c port,protocol,direction
esxcfg-firewall -e service_name
esxcfg-firewall -d service_name
Table 6-2 lists the service names that can be used with the esxcfg-firewall command.
Once you get familiar with the syntax, the esxcfg-firewall command will allow you to tweak and secure your environment. Remember, after making any changes to your firewall configuration, you will need to restart the firewall services using the following command:
service mgmt-vmware restart
Learn more about this topic from VMware Cookbook.
This book provides a look into real-world use of VMware ESX and ESXi, with step-by-step solutions for problems that occur in a wide range of environments. Written by experts with experience using VMware in a production environment, VMware Cookbook shares tips and tricks earned through trial and error, and supplies the background information you need to apply them.