How to Open and Close a Firewall Port via the Console on a VMware Server

If you run a VMware server you'll run into situations where you'll want to manually tweak a firewall setting. This excerpt from Troy & Helmke's VMware cookbook will show you how to open and close firewall ports via the console.

Although vCenter has an option called Security Profile that can help you maintain a large number of preset firewalls, you may encounter situations where you will need to maintain a custom rule specific to an application you wish to run.

ESX has a great tool called esxcfg-firewall that allows you to maintain your firewall from the command line.

Before we get started, let’s take a look at some of the configuration options the esxcfg-firewall command offers:

[root@esx6cluster2 log]# esxcfg-firewall -h



esxcfg-firewall 

-q|--query 	Lists current settings.

-q|--query  	Lists setting for the

 	specified service.

-q|--query incoming|outgoing 	Lists setting for non-required

 	incoming/outgoing ports.

-s|--services 	Lists known services.

-l|--load 	Loads current settings.

-r|--resetDefaults 	Resets all options to defaults

-e|--enableService  	Allows specified service

 	through the firewall.

-d|--disableService  	Blocks specified service

-o|--openPort  Opens a port.

-c|--closePort  	Closes a port previously opened

 	via --openPort.

 --blockIncoming 	Block all non-required incoming

 	ports (default value).

 --blockOutgoing 	Block all non-required outgoing

 	ports (default value).

 --allowIncoming 	Allow all incoming ports.

 --allowOutgoing 	Allow all outgoing ports.

-h|--help 	Show this message.



 

Different levels of security—low, medium, and high—can be applied to the ESX firewall. The default setting is high, blocking all inbound traffic and allowing outbound communication only over ports 80, 443, 902, 427, 5988, 5989, 111, 2049, 27000–27010, and 22. These ports provide the basic foundation for the ESX Server to communicate over the network. You can verify your firewall security settings by running the following commands:

esxcfg-firewall -q incoming

esxcfg-firewall -q outgoing

Depending on the results of these commands, you can verify your ESX host’s security level by using Table 6-1 as a reference.

Depending on the situation or your environment, you may wish to change the default security policy on your ESX hosts. It’s recommended that you leave the security level set to its default and that you only open specific ports, but if you want to change the security level you can do so with the following commands:

• To set the security level to low:

  esxcfg-firewall --allowIncoming --allowOutgoing

  
  

• To set the security level to medium:

  esxcfg-firewall --blockIncoming --allowOutgoing

  
  

• To set the security level to high:

  esxcfg-firewall --blockIncoming -blockOutgoing

  
  

After making these changes, you’ll need to restart the VMware services in order for the new rules to take effect:

service mgmt-vmware restart

Other helpful commands to view your firewall ruleset are:

• To display all the firewall settings, inbound and outbound:

  esxcfg-firewall -q

  
  

• To display known ESX Server firewall services by name:

  esxcfg-firewall -s

  
  

Example output looks like this:

activeDirectorKerberos caARCserve CIMHttpServer CIMHttpsServer CIMSLP 

commvaultDynamic commvaultStatic ftpClient ftpServer kerberos LDAP LDAPS 

legatoNetWorker LicenseClient nfsClient nisClient ntpClient smbClient snmpd 

sshClient sshServer swISCSIClient symantecBackupExec symantecNetBackup telnetClient 

TSM updateManager VCB vncServer vpxHeartbeats



 

Enabling the firewall to allow or deny certain ports, both inbound and outbound, is relatively simple. To accomplish this, you’ll again use the esxcfg-firewall command.

To open a firewall port, use the following syntax:

esxcfg-firewall -o port,protocol,direction,service_name

where port specifies the application ports, protocol is either tcp or udp, direction is either in or out, and service_name is the firewall service name (see Table 6-2).

To close a firewall port, use the following syntax. Notice that when closing a port, you don’t specify a name:

esxcfg-firewall -c port,protocol,direction

You can also enable services within the firewall by using the following command, where the -e option specifies the name of the service:

esxcfg-firewall -e service_name

Alternatively, you can disable services using the same command with the the -d parameter:

esxcfg-firewall -d service_name

Table 6-2 lists the service names that can be used with the esxcfg-firewall command.

Once you get familiar with the syntax, the esxcfg-firewall command will allow you to tweak and secure your environment. Remember, after making any changes to your firewall configuration, you will need to restart the firewall services using the following command:

service mgmt-vmware restart

Learn more about this topic from VMware Cookbook. 

This book provides a look into real-world use of VMware ESX and ESXi, with step-by-step solutions for problems that occur in a wide range of environments. Written by experts with experience using VMware in a production environment, VMware Cookbook shares tips and tricks earned through trial and error, and supplies the background information you need to apply them.