As you know ESX has a built-in firewall. It means that no communication is allowed unless you specify it. Glad a few basic ports are opened by default.
Check here a list of the ports required for the majority of VMWARE functions.
You can open/close ports through vSphere Client or with esxcfg-firewall command.
But let’s agree that doing that through the vSphere Client is a lot easier: you don’t have to know the syntax of the command, logon through SSH on your host or even run remote commands.
You just go on Security Profile and check the desired rule.
There’s a problem with that approach, Security Profile just shows a couple of rules and ports to be checked.
What if you have an application that needs communication through a port which is not there ?
Would not be nice if you could create your own firewall rule ?
It’s possible!!!
VMWARE KB1021779 gives you the directions to accomplish that, changing the /etc/vmware/firewall/services.xml file.
I would be very carefully changing this file, it’s a system file which controls a lot of services, also it’s probably that some future patch will get in place and replace it, whipping out your customization.
So, my advice is to create an xml file in /etc/vmware/firewall/ and then create your rule details inside it.
There are a bunch of files at /etc/vmware/firewall/ just take a look at them for syntax understanding , it should be very easy to build your own.
Here’s an example of a rule I created called ExtraPort which opens TCP 3434 for inbound and outbound:
Once you create your file restart the mgmt-vmware service.
Next time you went through Security profile you will see your firewall rule in there.
You are now ready to give your junior system admin the task to open and close ports without worrying too much ; )
Wednesday, September 14, 2011
Custom ESX firewal rules
Marcadores:
firewall,
rule,
VMWARE,
vSphere 4.1
Who am I

- Eduardo Meirelles da Rocha
- I’m an IT specialist with over 15 years of experience, working from IT infrastructure to management products, troubleshooting and project management skills from medium to large environments. Nowadays I'm working for VMware as a Consulting Architect, helping customers to embrace the Cloud Era and make them successfully on their journey. Despite the fact I'm a VMware employee these postings reflect my own opinion and do not represents VMware's position, strategies or opinions. Reach me at @dumeirell

Most Viewed Posts
-
vRealize Automation 7.1 brings several new features and functionalities, while the community is covering the fanciest...
-
Have you tried to set up or change a root's password for an ESXi host and got the following error message: Weak...
-
If you just install VMware Converter and start running it with it’s default configuration, I’m sure you will be successfully. But, the...
-
Do you know the LUNs on your environment might have different versions ? Yeah, that’s true!! To check tha LUN version, on the configuratio...
-
I have to admit since I started playing with PowerCLI I’ve been enjoying it more and more. A few weeks ago I needed to delete 50 VMs from t...
-
Day two of a VMware NSX implementation and I was surrounded by angry network guys asking me: “ What have you done ? ” As scare as...
-
During the past few weeks, my NSX partner in crime, the Sr. Consultant Anderson Duboc and I have been working on a NSX Reference Poster...
-
Most of vCloud Director implementations I’ve worked on where multi-cells implementations behind a load balancer to distribute the load a...
-
I've been working on a project to upgrade a vSphere 5.0 environment to vSphere 5.5. One of my client’s concerns was about what Guest...
-
VMware vSAN 6.2 Stretched Cluster & 2 Node Guide covers greatly all the network topologies supported and the configuration steps invo...

No comments:
Post a Comment