Ports and services are unexpectedly blocked by the ESXi host firewall
search cancel

Ports and services are unexpectedly blocked by the ESXi host firewall

book

Article ID: 406623

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

When the ESXi host firewall is activated, traffic to host services such as vMotion and SSH is unexpectedly blocked.

The built-in rule for the service is enabled in the host firewall configuration.

You confirm that the traffic is blocked by the host firewall by turning off the firewall and observing that the service is accessible when the firewall is disabled.

 

The firewall can be enabled and disabled using these commands on the host: 

esxcli network firewall set --enabled false
esxcli network firewall set --enabled true

Environment

Custom firewall rules have been added

Cause

The traffic is blocked by a duplicate or overlapping firewall rule that allows only trusted IPs.

An allow rule that specifies IP addresses will deny traffic to all other IPs if the rule matches the traffic and is evaluated earlier than another rule.

The order in which firewall rules appear in vSphere may not always match the order in which the firewall rules are evaluated.

  • For example, a firewall rule that specifies port 22 and permits 192.168.0.1 can deny SSH to every host other than 192.168.0.1, even if another rule permitting port 22 for all hosts appears above it in the list.
  • A firewall rule that specifies ports 1024-65535 and permits 172.16.30.0/24 can block vMotion (which uses port 8000) to hosts outside this range, even if a more specific rule allowing vMotion for all hosts is enabled.

Resolution

Examine the firewall settings for rules that specify allowed IPs and test the effect of these rules by disabling them.

Powered by Wolken Software