Create a custom firewall ruleset in ESXI 6.0
search cancel

Create a custom firewall ruleset in ESXI 6.0

book

Article ID: 376396

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Steps to create a custom firewall ruleset for syslog and other custom port configurations.

Environment

ESXI 6.x

Cause

We can use the below method instead of using custom firewall vibs on the ESXI host.

Resolution

Step:-1
Created a test file named logstash.xml with the following contents

<ConfigRoot>
<service>
<id>logstash</id>
<rule id='0000'>
<direction>outbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>5102</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
</ConfigRoot>

Step:-2
Copied logstash.xml file to a valid datastore directory
/vmfs/volume/datastore_name/logstash.xml and then copied the same file to /etc/vmware/firewall/

Step 3:-
In order to make the change persistent after the reboot, we edited the file /etc/rc.local.d/local.sh to include the following entries

if [ -f "/vmfs/volumes/datastore_name/logstash.xml" ]; then
cp /vmfs/volumes/datastore_name/logstash.xml/ /etc/vmware/firewall/
esxcli network firewall refresh
fi

exit 0

Saved the file and disabled the secure boot option by running the command /usr/lib/vmware/secureboot/bin/secureBoot.py -s

Step4:- 

Please set the permission of logstash.xml as chmod 644 logstash.xml

Step5:-
Reboot the esxi host and test

Additional Information

This is no longer supported in ESXi 7.0.

In ESXi 7.0 and later, access to the service.xml file, used to create custom firewall rules, is restricted. See VMware Knowledge Base article 2008226 for information about creating custom firewall rules using the /etc/rc.local.d/local.sh file.