esxcfg-firewall

Posted by John Sorensen on February 2nd, 2010
Posted in VMware

The service console in ESX 3.x has a firewall enabled by default. The network packet filtering found in Red Hat Linux is called iptables. As the management of iptables is not entirely straightforward, the esxcfg-firewall command makes things a load easier. The firewall rules are stored in /etc/vmware/esx.conf, but we don’t go editing this file, we use this command to ensure it is locked while we make our edits. If you are very interested in the iptables commands used behind the scenes, then you can inspect the log file /var/log/vmware/esxcfg-firewall.logWe use the esxcfg-firewall command to view and configure the firewall rules. The most popular switch will be the -q switch to query the firewall for its current settings.[root@esxhost1 root]# esxcfg-firewall -q<output>

The -s switch will allow you to enable or disable network services that may traverse the firewall successfully. The list of known services are shown below – very case sensitive!….

nfsClient

ftpServer

ntpClient

dellom

nisClient

vncServer

tmpLicenseClient

swISCSIClient

CIMHttpsServer

sshClient

snmpd

tmpAAMClient

vpxHeartbeats

smbClient

hpim

tmpHostVmdbServer

tmpHostdSOAPServer

ftpClient

sshServer

ibmdirector

CIMHttpServer

telnetClient

The -l switch loads the firewall and enables the IP tables.

The -u switch unloads the firewall and disables the IP tables.

We use the -e switch to enable a particular known service, so if we wanted to enable ssh outbound connections from the service console we would simply enter

[root@esxhost1 root]# esxcfg-firewall -e sshClient

We use the -d switch to disable a service. In the following example, we prevent outbound connections

[root@esxhost1 root]# esxcfg-firewall -d smbClient

If we need to open a TCP or UDP port that is not described by a defined friendly name like “sshClient”, then we can explicitly open that port with the -o switch. The service console firewall is bidirectional and so when opening a port you must also specify direction of incoming or outgoing. Equally, we can close an explicit port with the -c switch.

[root@esxhost1 root]# esxcfg-firewall -o port,protocol,direction,name

In the following example, we are opening a unique port which we are calling “customapp”

[root@esxhost1 root]# esxcfg-firewall -o 12345,tcp,out,custom-app

The service names such as sshClient and smbClient are defined in the file /etc/vmware/firewall/services.xml .

Posted in VMware
Tags: ,



You can leave a response, or trackback from your own site.
«
»


Further Reading
    None Found




One Response to “esxcfg-firewall”

  1. ninja cloak says:
    August 9, 2010 at 9:20 pm

    a great post for you to read…

    [..]awesome information avialable here, definitely should go read this, it’s totally worth it[..]…

Leave a Reply

Anti-Spam Quiz:

Twitter Delicious Facebook Digg Stumbleupon Favorites More

  • Categories

  • Recent Posts

  • Tags

    autoit Backup Exec block list Change Word 2007 default font and size Citrix credit card delete error Error 1606 Error printing from Outlook ESX ESX 4.1 Excel Exchange 2007 firewall format harddrive guarantee HTC Incredible HTML Text Layout linux list List databases net.net network Office2007 Converter Errors opens blank spread sheet outage outlook partition playstation powershell psn root security sony spam ssh stop timeline time line ubuntu vbscipt vbscript vCenter 4.0 verizon

  • STATS:

  • More Stats:

    Visits Today: 406
    Current: 14
    Your IP Is: 38.107.179.214

  • Archives

  • Meta

  • Visitors

340 queries in 5.086 seconds.