Wednesday, May 15, 2013

vSphere 5.x Firewalls

By Joe Piggee

By default, when ESXi is installed, the firewall is enabled. The default configuration is to permit only the required operational traffic and to deny all others. As a note, the command esxcfg-firewall was retired and replaced by esxcli network firewall in vSphere 5.

To enable the firewall:

esxcli network firewall set –enabled true

To disable the firewall

esxcli network firewall set –enabled false

Enable/Disable pre-configured services

  • List the services and record the proper ruleset ID for your service
    • esxcli network firewall ruleset list
  • To enable:
    • esxcli network firewall ruleset –enabled true –ruleset-id rulesetName
  • To disable:
    • esxcli network firewall ruleset –enabled false –ruleset-id rulesetName

Configure service behavior automation

  1. Login to vSphere client
  2. Enter the Hosts and Clusters View (Ctrl + Shift + H)
  3. Select a host
  4. Click the Configuration tab
  5. Under the Software view, select Security Profile
  6. Under Security Profile > Services, click Properties
  7. Highlight a service
  8. Click Options
  9. The service operational controls are listed
    1. Start automatically if any ports are open, and stop when all ports are closed
    2. Start and stop with host
    3. Start and stop manually (Select this to effectively disable the service)

Open/Close ports in the firewall

  1. Login to vSphere client
  2. Enter the Hosts and Clusters View (Ctrl + Shift + H)
  3. Select a host
  4. Click the Configuration tab
  5. Under the Software view, select Security Profile
  6. Under Security Profile > Firewall, click Properties
  7. Highlight a service
  8. To enable a firewall rule, check the check box next to the traffic label
  9. Click Options to set the service start automation settings as described above
  10. Click the firewall button to define what connections can be made to the services. All connections may be allowed or it can be restricted to a single IPv4 or IPv6 addresses and/or IPv4 or IPv6 networks.

Alternatively, to define the allowed IP addresses, you may configure this from the command line:
esxcli network firewall ruleset allowedip add –ruleset-id RulesetName –ip-address IPAddress/Network
esxcli network firewall ruleset allowedip add –ruleset-id RulesetName –ip-address IPAddress
esxcli network firewall ruleset allowedip remove –ruleset-id RulesetName –ip-address IPAddress/Network
esxcli network firewall ruleset allowedip remove –ruleset-id RulesetName –ip-address IPAddress
esxcli network firewall ruleset allowedip list –ruleset-id RulesetName

Note that you may edit the /etc/vmware/firewall/services.xml file for the pre-configured services. After you update any port numbers, remember to refresh the firewall:
esxcli network firewall refresh

Posted by at
Labels: , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)