How to manage ESXi Firewall Configuration

ESXi hosts have an inbuilt firewall setting between the management interface and the rest of the network. The firewall is configured to drop all incoming and outgoing traffic but for a specific set of services in ESXi Host.In order to secure ESXi host by allowing only certain IP addresses or IP ranges after a fresh installation of ESXi, you can use the ESXi vSphere client, vCenter or vSphere ESXi CLI to configure the firewall settings.

Manage ESXi firewall Using vSphere client

It is an easy way to configure the firewall settings using a vSphere client or ESXi vCenter GUI.

  • Login your vSpere client
  • Click ESXi host
  • Go to Configuration
  • Click Security Profile under Software   – You can see the services list and firewall
  • Click Properties on Firewall Section
  • Select your service and click firewall
  • Update your IP address or IP range to allow traffic for your particular service.

ESXi Cli Commands

 

Manage ESXi firewall Using ESXi CLI

Login your ESXi host.

Use the following command to manage your Firewall settings.

 

esxcli network firewall get          – Returns the enabled or disabled status of the firewall and lists default actions.
esxcli network firewall set –default-action       – Update default actions.
esxcli network firewall set –enabled       – Enable or disable the ESXi firewall.
esxcli network firewall load         – Load the firewall module and rule set configuration files.
esxcli network firewall refresh       – Refresh the firewall configuration by reading the rule set files if the firewall module is loaded.
esxcli network firewall unload        – Destroy filters and unload the firewall module.
esxcli network firewall ruleset list       – List rule sets information.
esxcli network firewall ruleset set –allowed-all         – Set the allowed all flag.
esxcli network firewall ruleset set –enabled       – Enable or disable the specified rule set.
esxcli network firewall ruleset allowedip list       – List the allowed IP addresses of the specified rule set.
esxcli network firewall ruleset allowedip add       – Allow access to the rule set from the specified IP address or range of IP addresses.
esxcli network firewall ruleset allowedip remove       – Remove access to the rule set from the specified IP address or range of IP addresses.

ESXi CLI Command Examples

Display the firewall status

[root@localhost:~] esxcli network firewall get   Default Action: DROP   Enabled: true   Loaded: true

Specify specific IP Address or IP ranges to access a particular service. The following example disable the allow all option and specifies a particular range for the sshServer service.

[root@localhost:~] esxcli network firewall ruleset set --allowed-all false --ruleset-id=sshServer

[root@localhost:~] esxcli network firewall ruleset allowedip add --ip-address=192.168.0.0/24 --ruleset-id=sshServer

or

[root@localhost:~] esxcli network firewall ruleset allowedip add -i=192.168.0.0/24 -r=sshServer

To remove specified IP address

[root@localhost:~] esxcli network firewall ruleset allowedip remove --ip-address=192.168.0.0/24 -r=sshServer

List rules associated with a particular service’s ruleset

[root@localhost:~] esxcli network firewall ruleset rule list | grep sshServer

sshServer                 Inbound    TCP       Dst                22        22

or

[root@localhost:~] esxcli network firewall ruleset rule list -r "sshServer"

sshServer                 Inbound    TCP       Dst                22        22

If you want to check all allowed IP address for all the services. Use below command.

[root@localhost:~] esxcli network firewall ruleset allowedip listRuleset                   Allowed IP Addresses  ------------------------------------------------sshServer                 192.168.0.0/24, 10.1.0.14, 172.0.0.2

Ruleset                   Allowed IP Addresses

sshServer                 192.168.0.0/24, 10.1.0.14, 172.0.0.2
sshClient                 All                                                                                                                                          

nfsClient                 All        

List all the rulesets for which the allowedip list has been enabled

[root@localhost:~] esxcli network firewall ruleset allowedip list | grep -v "All"

List the default firewall rules

[root@localhost:~] esxcli network firewall ruleset list

Name                      Enabled

------------------------  -------

sshServer                    true

sshClient                    true

nfsClient                   false

nfs41Client                 false

dhcp                         true

dns                          true

snmp                         true

ntpClient                   false

CIMHttpServer                true

CIMHttpsServer               true

CIMSLP                       true

iSCSI                        true

vpxHeartbeats                true