VMware supports opening and closing firewall ports only through the vSphere Client or the esxcfg-firewall command. Using any other methods or scripts to open and close firewall ports can lead to unexpected behavior.
Use of iptables or other Linux commands to modify firewall default rules is not supported.
If you modify firewall rules for the ESX console by using the iptables or any command or utility other than the esxcfg-firewall command, accessing the service console through the firewall with any tools or utilities might cause the firewall to revert to its default configuration when your actions are complete. For example, configuring VMware High Availability (HA) on a host causes the firewall to revert to the default configuration specified by esxcfg-firewall if you have modified the rules by using the iptables command.
Opening and closing firewall ports with the esxcfg-firewall command
To open or close ports with the esxcfg-firewall command:
- Log in to the service console and acquire root privileges.
- Use this command to open the port:
esxcfg-firewall --openPort <port_number>,tcp|udp,in|out,<port_name>
Use this command to close the port:
esxcfg-firewall --closePort <port_number>,tcp|udp,in|out,<port_name>
Where: - <port_number</SPAN>> is the vendor-specified port number
- tcp is for TCP traffic and udp is for UDP traffic
- in opens the port for inbound traffic and out opens it for outbound traffic
- <port_name> is a descriptive name to help identify the service or agent using the port. A unique name is not required.
For example:
#esxcfg-firewall --openPort 6380,tcp,in,Navisphere
#esxcfg-firewall --closePort 6380,tcp,in
- Restart the vmware-hostd process. For more information, see Restarting the Management Agents on an ESX or ESXi Server (1003490).
Changing the default firewall rules by modifying default.xml
If you modify the defaults by using a Linux command, your changes are ignored and overwritten by the defaults specified for that service by the esxcfg-firewall command. If you want to change the defaults for a supported service, or define defaults for additional service types, you can modify or add to the rules in /etc/vmware/firewall/chains/default.xml. These rules follow the syntax of the iptables command. The default.xml file always uses the iptables-A option for the specified chain.
To change the default firewall rules using default.xml:
- Log in to the service console with administrator privileges.
- Edit the /etc/vmware/firewall/chains/default.xml file to correspond to your security policies.
- Restart the service console firewall with the command:
service firewall restart
- Check that the specified services are correctly enabled or disabled with the command:
esxcfg-firewall-e|d SERVICE
- Verify that your modified rules are working correctly with the command:
iptables-nL
Note: Do not use the iptables command to modify any settings.
You can modify the firewall defaults for each of the service types according to your own security policies. For example, these rules in the /etc/vmware/firewall/chains/default.xml file determine the firewall rules for the INPUT chain:
<ConfigRoot>
<chain name="INPUT">
<rule>-p tcp --dport 80 -j ACCEPT</rule>
<rule>-p tcp --dport 110 -j ACCEPT</rule>
<rule>-p tcp --dport 25 -j ACCEPT</rule>
</chain>...
</ConfigRoot>
The default.xml fragment above is equivalent to these iptable commands:
% iptables -A INPUT -p tcp --dport 80 -j ACCEPT
% iptables -A INPUT -p tcp --dport 110 -j ACCEPT
% iptables -A INPUT -p tcp --dport 25 -j ACCEPT
Changes in ESX 4.1
ESX 4.1 introduces these additional configuration files located in /etc/vmware/firewall/chains:
-
usercustom.xml
-
userdefault.xml
The default files custom.xml and default.xml are overridden by usercustom.xml and userdefault.xml. All configuration is saved in usercustom.xml and userdefault.xml.
Copy the original custom.xml and default.xml files and use them as a template for usercustom.xml and userdefault.xml.