Howto: esxcfg-firewall

Since the introduction of VI3 VMware ESX has has a firewall builtin to increase security of the Service console, this service is accessed and manilulated at the console by the use of the esxcfg-firewall command

To see the main switch options for this command, issue the following command esxcfg-firewall -help below is an abridged output:

-q Lists current settings
-q <service> Lists settings for the specified service
-q incoming|outgoing Lists settings for non-required incoming/outgoing
-s Lists known services
-l Loads current settings
-r Resets all options to defaults
-e <service> Allows specified service through the firewall
-d <service> Blocks specified service (disables)
-o <port, tcp|udp,in|out,name> Opens a port
-c <port, tcp|udp,in|out> Closes a port previously opened by –o
-h Displays command help
-allowincoming Allow all incoming ports
-allowoutgoing Allow all outgoing ports
-blockincoming Block all non-required incoming ports (default
-blockoutgoing Block all non-required outgoing ports (default

The standard default  installation for ESX’s firewall is high security, however there are serveral Default Services that are enabled these are shown below:

AAMClient Added by the vpxa RPM: Traffic between ESX Server
hosts for VMware High Availability (HA) and EMC Autostart Manager – inbound and
outbound TCP and UDP Ports 2050 – 5000 and 8042 – 8045
activeDirectorKerberos Active Directory Kerberos – outbound TCPs Port 88 and
CIMHttpServer First-party optional service: CIM HTTP Server – inbound TCP
Port 5988
CIMHttpsServer First-party optional service: CIM HTTPS Server – inbound TCP
Port 5989
CIMSLP First-party optional service: CIM SLP – inbound and outbound
TCP and UDP Ports 427
commvaultDynamic Backup agent: Commvault dynamic – inbound and outbound TCP
Ports 8600 – 8619
commvaultStatic Backup agent: Commvault static – inbound and outbound TCP
Ports 8400 – 8403
ftpClient FTP client – outbound TCP Port 21
ftpServer FTP server – inbound TCP Port 21
kerberos Kerberos – outbound TCPs Port 88 and 749
LicenseClient FlexLM license server client – outbound TCP Ports 27000 and
nfsClient NFS client – outbound TCP and UDP Ports 111 and 2049 (0 –
nisClient NIS client – outbound TCP and UDP Ports 111 (0 –
ntpClient NTP client – outbound UDP Port 123
smbClient SMB client – outbound TCP Ports 137 – 139 and 445
snmpd SNMP services – inbound TCP Port 161 and outbound TCP Port
sshClient SSH client – outbound TCP Port 22
sshServer SSH server – inbound TCP Port 22
swISCSIClient First-party optional service: Software iSCSI client – outbound
TCP Port 3260
telnetClient NTP client – outbound TCP Port 23
TSM Backup agent: IBM Tivoli Storage Manager – inbound and
outbound TCP Ports 1500
veritasBackupExec Backup agent: Veritas BackupExec – inbound TCP Ports 10000 –
veritasNetBackup Backup agent: Veritas NetBackup – inbound TCP Ports 13720,
13732, 13734, and 13783
vncServer VNC server – Allow VNC sessions 0-64: inbound TCP Ports 5900 –
vpxHeartbeats vpx heartbeats – outbound UDP Port

Now if you are feeling ninja you can configure your own services by modifying the file /etc/vmware/firewall/services.xml.  that said it is much easier to use the builtin commands as shown below:

To enable ssh client connections from the Service Console:

  1. esxcfg-firewall -e sshClient

Disable the Samba client connections:

  1. esxcfg-firewall -d smbClient

Allow syslog outgoing traffic:

  1. esxcfg-firewall -o 514,udp,out,syslog

Turn off the firewall:

  1. esxcfg-firewall -allowIncoming
  2. esxcfg-firewall -allowOutgoing

Re-enable the firewall:

  1. esxcfg-firewall -blockIncoming
  2. esxcfg-firewall –blockOutgoing

So now you know how to configure the firewall, it is time to consider other steps in how to hardening your environment,  more later.