All ESXi hosts have an inbuilt firewall sitting between the management interface and the rest of the network. Enabled by default, the ESXi firewall is configured to drop all ingress and egress traffic but for a specific set of services, a subset of which is given in Figure 1 below.
In this article we explore how the firewall may be managed using the vSphere client, ESXCLI commands and PowerCLI. For illustration purposes, I’ll be using a standalone ESXi host but the same techniques apply to vCenter Server managed hosts.
Managing the Firewall using the vSphere client
Update: As it were, I installed the fling and even though I admittedly haven’t really dug that deep, I do confirm that it allows you to update firewall rules. This will turn out to be a useful tool to anyone missing the vSphere Web Client.
Regardless, I’ll stick to the C# vSphere client for now. To review the firewall settings on an ESXi host, log in with the vSphere Client, select the “Configuration” tab and highlight “Security Profile” under “Software”. You’ll see that the “Security Profile” pane is split into 3 areas, the two topmost ones “Services” and “Firewall” being the ones we’re interested in (Figure 2).
Clicking on “Properties” under “Services” brings up a dialog box showing which services are enabled and those that aren’t. Clicking on the Optionsbutton gives you access to the startup policy for the selected service as you can see in Figure 3.
Similarly, clicking on “Properties” under the “Firewall” section gives you access to a specific service’s settings. A ticked on check-box next to a service tells you that the service is accepting remote access calls. Clicking on the “Firewall” button allows you to limit remote access to the service in question.
For instance, let’s suppose you want to limit SSH access to the sysadmin team. Their workstations reside on the 192.168.10.0/24 network. To enact this rule, you just need to add the 192.168.10.0/24 network to the “Allowed IP Addresses” list as shown in the next Figure. Any call originating from outside this range will be dropped.
Managing the Firewall using ESXCLI
The esxcli network firewall family of commands can be similarly used to manage the ESX firewall. To use them, you’ll need to SSH to the ESXi host using software such as putty.
The command set has a root namespace called ruleset with two child nodes these being allowedip and rule. A service has a ruleset attached to it which can either be disabled or enabled. A ruleset can contain one or more rules.
Here are a few examples to get you started with the command line syntax;
List all currently enabled (disabled) rulesets.
esxcli network firewall ruleset list|grep true
esxcli network firewall ruleset list|grep false
List rules associated with a particular service’s ruleset
Here, you will find a complete list of all the available firewall commands.
Unfortunately there is no easy way – not that I know of – to add custom rulesets other than creating and importing them using VIB packaging. There’s a good article here on how to go about it. It definitely works as I have used it in the past to enable custom rulesets but it’s not for the impatient and takes some time to get used to. VMware refer to it in this KB article which also provides a link to this Word document explaining the entire procedure in full detail.
Note that the VIB method must be used to create custom rulesets that persist after reboots. Alternatively, there are 2 XML files you can play with as described here. Once again, these changes will not persist at least not on ESXi 5.5 and earlier versions – with ESXi 6 I’m not entirely sure since I got mixed results when testing. There’s a not so clean hack you can try where the /etc/rc.local.d/local.sh script is modified such that it copies the amended firewall XML files, which are stored on a datastore on the ESXi host’s local storage, every time it is rebooted. Regardless, my opinion is to stick with the VIB method, despite being cumbersome and all.
Managing the Firewall using PowerCLI
With PowerShell, there are a couple of options you can use to manage the ESXi firewall. You can either expose the same ESXCLI functionality through the Get-EsxCli cmdlet or use the following cmdlets;
However, if you’re already familiar with the ESXCLI syntax, you would naturally want to use get-EsxCLi since it’s pretty much the same thing save for a few syntactical differences. Here’s how to do it;
First of all, you need to retrieve the esxcli.network.firewall namespace and save it as an object. We do this as follows;
Note the two Boolean values passed to the cmdlet. The first specifies the action the firewall takes with true=PASS and false=DROP. The 2nd parameter simply enables or disables the firewall.
As we’ve seen, there are a number of methods you can use to manage your ESXi host’s firewall settings. It would be great if with future releases, VMware would add an easy way to include custom rulesets as the current method is somewhat awkward and quite frankly a pain to deal with.