About the ESXi 5.x and 6.x firewall
Article ID: 328503
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
This article provides information about the Firewall feature introduced in VMware vSphere ESXi 5.0 and later, which provides a new access control capability for ESXi.
Resolution
These are important points about the ESXi 5.x firewall:
- ESXi 5.0 has a new firewall engine that is not based on iptables.
- The firewall is enabled by default and allows Internet Control Message Protocol (ICMP) pings and communication with DHCP and DNS (UDP only) clients.
- The UI for configuring the firewall on ESXi 5.x and 6.x is similar to that used to configure the ESX firewall.
- The firewall is service oriented.
- You have the ability to restrict access to specific services based on IP address/Subnet Mask.
- There is Host Profile support for the ESXi 5.x and 6.x firewall.
- If you upgrade from ESX to ESXi 5.x, firewall settings are preserved.
A new esxcli interface named esxcfg-firewall is available in ESXi 5.x. This table summarizes the commands available in this interface:
| Command | Description |
| esxcli network firewall get | Returns the enabled or disabled status of the firewall and lists default actions. |
| esxcli network firewall set --default-action | Update default actions. |
| esxcli network firewall set --enabled | Set to true to enable the firewall, set to false to disable the firewall. |
| esxcli network firewall load | Load the firewall module and rule set configuration files. |
| esxcli network firewall refresh | Refresh the firewall configuration by reading the rule set files if the firewall module is loaded. |
| esxcli network firewall unload | Destroy filters and unload the firewall module. |
| esxcli network firewall ruleset list | List rule sets information. |
| esxcli network firewall ruleset set --allowedall | Set the allowedall flag. |
| esxcli network firewall ruleset set --enabled | Enable or disable the specified rule set. |
| esxcli network firewall ruleset allowedip list | List the allowed IP addresses of the specified rule set. |
| esxcli network firewall ruleset allowedip add | Allow access to the rule set from the specified IP address or range of IP addresses. |
| esxcli network firewall ruleset allowedip remove | Remove access to the rule set from the specified IP address or range of IP addresses. |
For example:
To enable the sshClient firewall ruleset, run this command:
esxcli network firewall ruleset set --enabled true --ruleset-id=sshClient
Additional Information
For more information about the ESXi 5.0 firewall, see the vSphere Security Guide.
User defined xml firewall configurations are not persistent across ESXi host reboots
关于 ESXi 5.x 和 6.0 防火墙
The firewall remains loaded, even when disabled.
For example:
Firewall enabled:
# esxcli network firewall set --enabled true
# esxcli network firewall get
Default Action: DROP
Enabled: true
Loaded: true
Firewall disabled:
# esxcli network firewall set --enabled false
# esxcli network firewall get
Default Action: DROP
Enabled: false
Loaded: true
关于 ESXi 5.x 和 6.0 防火墙
Feedback
Yes
No
Powered by
