Update option for Incoming/Outgoing Firewall "NFS Client" in ESXi 8.0 U2B or later is greyed out.
vSphere Esxi 8.0 U2 and later
With ESXi 8.0 Update 2, some ESXi firewall rulesets, such as dhcp, are system-owned by default and prevent manual adding of allowed IP addresses to avoid possible break of service. With ESXi 8.0 Update 2b, you can manually add allowed IP addresses to all rulesets, except for nfsClient, nfs41Client, trusted-infrastructure-kmxd, trusted-infrastructure-kmxa, and vsanEncryption.
Though UI option is greyed out, We could add the ip address to the allowed list using below steps
# add an IP entry using below command :
[:~] esxcli storage nfs firewall add -F xx.xx.xx.xx/8
# confirm the IP is added successfully using below commands :
[:~] esxcli network firewall ruleset allowedip list | grep nfs
nfsClient xx.xx.xx.xx/8
nfs41Client All
[:~] esxcli storage nfs firewall list
Allowed IPMask: xx.xx.xx.xx/8
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-80u2b-release-notes/index.html