How to create custom firewall rules on ESXi 5.0

Posted by on August 3, 2012 in VCAP, vSphere | 0 comments

While studying for the VCAP5-DCD I was working on Objective 7.2 that covers the built in firewall for ESXi 5.0. I needed to be comfortable with creating custom rules on the host firewall. At first I figured well there must be a ESXCLI command that I can just use to add and remove these rules much like other tasks. Well there certainly is a ESXCLI Firewall command but it does not go as far as allowing you to create and remove the rules from the firewall. The command is more about turning on and off already defined rules and refreshing the rule set.

The rule list is kept in an XML file located here – /etc/vmware/firewall/service.xml

The first thing that you should do is create a backup copy of this file to protect yourself from any mistakes. Then you are going to need to change the permissions on the file to allow you to edit the file. You can do this with CHMOD or WinSCP if that is easier for you.

Once you have changed the permissions you should edit the file with a plain text editor, use what is available and you are comfortable with. The most common options available for me usually are VI or WinSCP again. I tend to lean towards the second one because its easier for me. Once you open the service.xml file you will see a rule list something like the one listed below. The two sections at the end in bold are an example that I placed in for my practice.

<ConfigRoot>
<service id=’0000′>
<id>serviceName</id>
<rule id = ‘0000’>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>80</port>
</rule>
<rule id=’0001′>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>src</porttype>
<port>
<begin>1020</begin>
<end>1050</end>
</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>

<service id=”0050″>
    <id>suhr1</id>
    <rule id=’0000′>
      <direction>outbound</direction>
      <protocol>tcp</protocol>
      <porttype>src</porttype>
      <port>2100</port>
    </rule>
    <enabled>true</enabled>
    <required>false</required>
  </service>
<service id=”0051″>
    <id>suhr2</id>
    <rule id=’0000′>
      <direction>inbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>2000</port>
    </rule>
    <enabled>true</enabled>
    <required>false</required>
  </service>

</ConfigRoot>

Simply create your new rule(s) by following the same format that is shown above or in the file. Once completed save the file and then you will need to enable the new rule set.

To refresh the rules and make them take effect you need to use the following command. Now is the time for the ESXCLI command line fun that you have been waiting for.

# esxcli network firewall refresh

Now that you have refreshed the rules you should have a look and make sure they are showing up and there are a couple of ways to accomplish this.

The first way to check is to fire up the vSphere client and select the host that you modified the rules on. Go to the configuration tab and then security profile option under the software section. You can see from the image below that I created two different rules one incoming and one outgoing rule.

The second way to verify that your new rules are showing up is to use the command line and ESXCLI. You need to use the command listed below to display the rule set.

# esxcli network firewall rule set list

One thing that I came across while researching different ways to add rules  was there a lot of discussion on how to make the rules persist after a host reboot.  If you use this method you should do some testing, but in my home lab using this method the rules did persist host reboots.  I used the method listed in the follow VMware KB.

 

 

 

About Brian Suhr

Brian is a VCDX5-DCV and a Solutions Architect for a VMware partner and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status for 2013, 2012 & 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Leave a Reply

%d bloggers like this: