About the ESXi 5.x and 6.x firewall
search cancel

About the ESXi 5.x and 6.x firewall

book

Article ID: 328503

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

This article provides information about the Firewall feature introduced in VMware vSphere ESXi 5.0 and later, which provides a new access control capability for ESXi.

Resolution

These are important points about the ESXi 5.x firewall:

  • ESXi 5.0 has a new firewall engine that is not based on iptables.
  • The firewall is enabled by default and allows Internet Control Message Protocol (ICMP) pings and communication with DHCP and DNS (UDP only) clients.
  • The UI for configuring the firewall on ESXi 5.x and 6.x is similar to that used to configure the ESX firewall.
  • The firewall is service oriented.
  • You have the ability to restrict access to specific services based on IP address/Subnet Mask.
  • There is Host Profile support for the ESXi 5.x and 6.x firewall.
  • If you upgrade from ESX to ESXi 5.x, firewall settings are preserved.
A new esxcli interface named esxcfg-firewall is available in ESXi 5.x. This table summarizes the commands available in this interface:
CommandDescription
esxcli network firewall getReturns the enabled or disabled status of the firewall and lists default actions.
esxcli network firewall set --default-actionUpdate default actions.
esxcli network firewall set --enabledSet to true to enable the firewall, set to false to disable the firewall.
esxcli network firewall loadLoad the firewall module and rule set configuration files.
esxcli network firewall refreshRefresh the firewall configuration by reading the rule set files if the firewall module is loaded.
esxcli network firewall unloadDestroy filters and unload the firewall module.
esxcli network firewall ruleset listList rule sets information.
esxcli network firewall ruleset set --allowedallSet the allowedall flag.
esxcli network firewall ruleset set --enabledEnable or disable the specified rule set.
esxcli network firewall ruleset allowedip listList the allowed IP addresses of the specified rule set.
esxcli network firewall ruleset allowedip addAllow access to the rule set from the specified IP address or range of IP addresses.
esxcli network firewall ruleset allowedip removeRemove access to the rule set from the specified IP address or range of IP addresses.

For example:

To enable the sshClient firewall ruleset, run this command:

esxcli network firewall ruleset set --enabled true --ruleset-id=sshClient


Additional Information

For more information about the ESXi 5.0 firewall, see the vSphere Security Guide.

The firewall remains loaded, even when disabled.
For example:

Firewall enabled:

# esxcli network firewall set --enabled true
# esxcli network firewall get
Default Action: DROP
Enabled: true
Loaded: true

Firewall disabled:

# esxcli network firewall set --enabled false
# esxcli network firewall get
Default Action: DROP
Enabled: false
Loaded: true
User defined xml firewall configurations are not persistent across ESXi host reboots
关于 ESXi 5.x 和 6.0 防火墙