ESXi Firewall allows UDP source port 53 traffic to all destination ports
search cancel

ESXi Firewall allows UDP source port 53 traffic to all destination ports

book

Article ID: 341588

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Vulnerability scanners may flag ESXi hosts with a "UDP Source Port Pass Firewall" or "Ruleset Bypass" vulnerability.

Example vulnerability scanner output:

"Your firewall policy seems to allow UDP packets with a specific source port (for example, port 53) to pass through while it blocks UDP packets to the same destination ports but with a random source port."

Environment

VMware vSphere ESXi 7.0
VMware vSphere ESXi 8.0

Cause

This behaviour is working as designed, as the ESXi hypervisor utilizes a stateless rather than a stateful firewall. To ensure reliable DNS functionality, the firewall is designed to permit UDP traffic originating from source port 53 (DNS).

Resolution


The ESXi DNS client uses 'high' ephemeral ports (greater than port 49152) for DNS queries. To further secure your environment and mitigate scanner flags, follow these recommendations:

  • Configure an external firewall to block incoming DNS traffic from ports lower than 49152
  • DNS queries may also be further restricted by configuring the allowed IP addresses for DNS communication within the ESXi host firewall:
    vSphere Security
Powered by Wolken Software