Adding a third-party firewall extension to ESXi 5.0
search cancel

Adding a third-party firewall extension to ESXi 5.0

book

Article ID: 308460

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

This article provides steps to enable a third-party firewall extension to the ESXi 5.0 firewall.
Adding an extension is required when you install third party software that requires custom ports for communication with the ESXi host.


Environment

VMware vCenter Server 5.0.x
VMware vSphere ESXi 5.0

Resolution

To enable a third-party firewall extension:
  1. If it is not already, enable ESXi Shell. For more information, see Using ESXi Shell in ESXi 5.0 (2004746).
  2. Log in to the ESXi host with root credentials using an SSH client.
  3. Navigate to /etc/vmware/firewall using the command:

    #cd /etc/vmware/firewall/

  4. Create a new file with the name extension .xml:

    Note: This example uses the vi editor.

    #vi test.xml

    <ConfigRoot>
    <service>
    <id>ServiceName</id>
    <rule id='0000'>
    <direction>inbound</direction>
    <protocol>tcp</protocol>
    <porttype>dst</porttype>
    <port>1234</port>
    </rule>
    <rule id='0001'>
    <direction>outbound</direction>
    <protocol>tcp</protocol>
    <porttype>dst</porttype>
    <port>1234</port>
    </rule>
    <rule id='0002'>
    <direction>inbound</direction>
    <protocol>udp</protocol>
    <porttype>dst</porttype>
    <port>1234</port>
    </rule>
    <rule id='0003'>
    <direction>outbound</direction>
    <protocol>udp</protocol>
    <porttype>dst</porttype>
    <port>1234</port>
    </rule>
    <enabled>false</enabled>
    <required>false</required>
    </service>
    </ConfigRoot>

    Where:
    • enabled is the default status when the service is first loaded
    • required indicates whether the service is required and cannot be disabled
    • rule id indicates the rules required and starts with 0000, 0001, 0002, and so on
    • protocol indicates if it is TCP/UDP protocol

      Note: If you need same port number for TCP and UDP, you must have two rules.

    • direction specifies if incoming or outgoing port

      Note: You must have a separate rule for incoming and outgoing communication.

    • porttype is set to dst for destination.
    • 1234 is the required port number.

      Note: You can have multiple rules for different ports in same file.

  5. Load configurations with the command:

    #esxcli network firewall refresh

  6. When the service is available in the interface in Security Profile > Firewall, you can enable or disable it.

    Note: It is identified in the UI by the <id> tag.

  7. If you can find the firewall rule in the list, try unloading and loading the firewall rule with the commands:

    #esxcli network firewall unload
    #esxcli network firewall load