- Enable/Disable pre-configured services
- Configure service behaviour automation
- Open/Close ports in the firewall
- Create a custom service
- Set firewall security level
Enable/Disable pre-configured services
vSphere Security Guide, Chapter 3 “Securing the Management Interface”, page 37.
An ESXi host has a group of preconfigured services, which can be found via: Configuration, Software, Security Profile, Services Section.
Behaviour can be changed by selecting a service and choosing “Options”.
Services can be stopped or (re)started and the “Startup Policy” can be adjusted.
The default and recommended Startup Policy is “Start automatically if any ports are open, and stop when all ports are closed”.
If any port is open, the client attempts to contact the network resources pertinent to the service in question. If some ports are open, but the port for a particular service is closed, the attempt fails, but there is little drawback to such a case. If and when the applicable outgoing port is opened, the service begins completing its tasks. In other words, service behaviour depends on the firewall settings.
Policy “Start and stop with host” means: The service starts shortly after the host starts and closes shortly before the host shuts down.
Policy “Start and stop manually”: The host preserves the user-determined service settings, regardless of whether ports are open or not. This setting is preserved after rebooting a host.
Important NOTE: ESXi firewall automates when rule sets are enabled or disabled based on the service Startup policy. When a service starts, its corresponding rule set is enabled. When a service stops, the rule set is disabled.
Configure service behaviour automation
vSphere Security Guide, Chapter 3 “Securing the Management Interface”, page 38.
See previous one.
Open/Close ports in the firewall
vSphere Security Guide, Chapter 3 “Securing the Management Interface”, page 34.
An overview of the ESXI firewall configuration can be found via: Configuration, Software, Security Profile, Firewall Section.
After selecting a Service or Client, you can adjust the Firewall settings and depending on the Service, the Service Options become available (see previous section).
You can specify which networks are allowed to connect to each service that is running on the host.
You can use the vSphere Client or the command line to update the Allowed IP list for a service. By default, all IP addresses are allowed.
Create a custom service
vSphere Security Guide, Chapter 3 “Securing the Management Interface”, section “Rule Set Configuration Files”, page 34.
The firewall rule set definitions are stored on the ESXi host in the folder: /etc/vmware/firewall.
The default file is service.xml. Depending on your configuration, additional rule sets can be found. E.g.: Adding an ESXi host to an HA enabled Cluster adds the fdm.xml rule set.
The vSphere Security Guide contains detailed information how to create a new configuration file.
Tip: you can create a new ruleset by copying an existing rule set and start editing. If you are familiar with the vi editor, stay on the ESXI host, otherwise use WinSCP to copy back-and-forth to your favourite Management station.
After adding a service, you need to refresh the firewall settings. On the ESXi host, use the following command:
# esxcli network firewall refresh
- See also VMware KB 2008226 “Creating custom firewall rules in VMware ESXi 5.0”
Set firewall security level
The following esxcli command shows some important ESXi firewall settings:
# esxcli network firewall get Default Action: DROP Enabled: true Loaded: true #
For troubleshooting purposes, you can temporarily disable the firewall with this command:
# esxcli network firewall set --enabled false # esxcli network firewall get Default Action: DROP Enabled: false Loaded: true #
The default policy can also be adjusted from DROP to PASS (Not a good idea) with:
# esxcli network firewall set --default-action true # esxcli network firewall get Default Action: PASS Enabled: true Loaded: true #
You can also completely shut down the firewall:
# esxcli network firewall unload # esxcli network firewall get Default Action: PASS Enabled: true Loaded: false #