Steps to create a custom firewall ruleset for syslog and other custom port configurations.
ESXI 6.x
We can use the below method instead of using custom firewall vibs on the ESXI host.
Step:-1
Created a test file named logstash.xml with the following contents
<ConfigRoot>
<service>
<id>logstash</id>
<rule id='0000'>
<direction>outbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>5102</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
</ConfigRoot>
Step:-2
Copied logstash.xml file to a valid datastore directory
/vmfs/volume/datastore_name/logstash.xml and then copied the same file to /etc/vmware/firewall/
Step 3:-
In order to make the change persistent after the reboot, we edited the file /etc/rc.local.d/local.sh to include the following entries
if [ -f "/vmfs/volumes/datastore_name/logstash.xml" ]; then
cp /vmfs/volumes/datastore_name/logstash.xml/ /etc/vmware/firewall/
esxcli network firewall refresh
fi
exit 0
Saved the file and disabled the secure boot option by running the command /usr/lib/vmware/secureboot/bin/secureBoot.py -s
Step4:-
Please set the permission of logstash.xml as chmod 644 logstash.xml
Step5:-
Reboot the esxi host and test
This is no longer supported in ESXi 7.0.
In ESXi 7.0 and later, access to the service.xml
file, used to create custom firewall rules, is restricted. See VMware Knowledge Base article 2008226 for information about creating custom firewall rules using the /etc/rc.local.d/local.sh
file.