search
cancel
Search
Adding a third-party firewall extension to ESXi 5.0
book
Article ID: 308460
calendar_today
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Show More
Show Less
Issue/Introduction
This article provides steps to enable a third-party firewall extension to the ESXi 5.0 firewall.
Adding an extension is required when you install third party software that requires custom ports for communication with the ESXi host.
Environment
VMware vCenter Server 5.0.x
VMware vSphere ESXi 5.0
Resolution
To enable a third-party firewall extension:
If it is not already, enable ESXi Shell. For more information, see
Using ESXi Shell in ESXi 5.0 (2004746)
.
Log in to the ESXi host with root credentials using an SSH client.
Navigate to
/etc/vmware/firewall
using the command:
#cd /etc/vmware/firewall/
Create a new file with the name extension
.xml
:
Note
: This example uses the vi editor.
#vi test.xml
<ConfigRoot>
<service>
<id>ServiceName</id>
<rule id='0000'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>1234</port>
</rule>
<rule id='0001'>
<direction>outbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>1234</port>
</rule>
<rule id='0002'>
<direction>inbound</direction>
<protocol>udp</protocol>
<porttype>dst</porttype>
<port>1234</port>
</rule>
<rule id='0003'>
<direction>outbound</direction>
<protocol>udp</protocol>
<porttype>dst</porttype>
<port>1234</port>
</rule>
<enabled>false</enabled>
<required>false</required>
</service>
</ConfigRoot>
Where:
enabled is the default status when the service is first loaded
required indicates whether the service is required and cannot be disabled
rule id indicates the rules required and starts with 0000, 0001, 0002, and so on
protocol indicates if it is TCP/UDP protocol
Note
: If you need same port number for TCP and UDP, you must have two rules.
direction
specifies if incoming or outgoing port
Note
: You must have a separate rule for incoming and outgoing communication.
porttype
is
set to
dst
for destination.
1234
is the required port number.
Note
: You can have multiple rules for different ports in same file.
Load configurations with the command:
#esxcli network firewall refresh
When the service is available in the interface in
Security Profile
>
Firewall
, you can enable or disable it.
Note
: It is identified in the UI by the
<id>
tag.
If you can find the firewall rule in the list, try unloading and loading the firewall rule with the commands:
#esxcli network firewall unload
#esxcli network firewall load
Feedback
thumb_up
Yes
thumb_down
No