Wednesday, September 14, 2011

Custom ESX firewal rules

As you know ESX has a built-in firewall. It means that no communication is allowed unless you specify it. Glad a few basic ports are opened by default.

Check here a list of the ports required for the majority of VMWARE functions.

You can open/close ports through vSphere Client or with esxcfg-firewall command.
But let’s agree that doing that through the vSphere Client is a lot easier: you don’t have to know the syntax of the command, logon through SSH on your host or even run remote commands.
You just go on Security Profile and check the desired rule.

There’s a problem with that approach, Security Profile just shows a couple of rules and ports to be checked.

What if you have an application that needs communication through a port which is not there ?
Would not be nice if you could create your own firewall rule ?

It’s possible!!!
VMWARE KB1021779 gives you the directions to accomplish that, changing the /etc/vmware/firewall/services.xml file.

I would be very carefully changing this file, it’s a system file which controls a lot of services, also it’s probably that some future patch will get in place and replace it, whipping out your customization.

So, my advice is to create an xml file in /etc/vmware/firewall/ and then create your rule details inside it.
There are a bunch of files at /etc/vmware/firewall/ just take a look at them for syntax understanding , it should be very easy to build your own.

Here’s an example of a rule I created called ExtraPort which opens TCP 3434 for inbound and outbound:













Once you create your file restart the mgmt-vmware service.

Next time you went through Security profile you will see your firewall rule in there.




You are now ready to give your junior system admin the task to open and close ports without worrying too much ; )

No comments:

Post a Comment

Who am I

My photo
I’m an IT specialist with over 15 years of experience, working from IT infrastructure to management products, troubleshooting and project management skills from medium to large environments. Nowadays I'm working for VMware as a Consulting Architect, helping customers to embrace the Cloud Era and make them successfully on their journey. Despite the fact I'm a VMware employee these postings reflect my own opinion and do not represents VMware's position, strategies or opinions.

Most Viewed Posts

Blog Archive