The NFS Client rule set behaves differently than other ESXi firewall rule sets. ESXi configures NFS Client settings when you mount or unmount an NFS datastore.

When you add or mount an NFS datastore, ESXi checks the state of the NFS Client (nfsClient) firewall rule set.

  • If the NFS Client rule set is disabled, ESXi enables the rule set and disables the Allow All IP Addresses policy by setting the allowedAll flag to FALSE. The IP address of the NFS server is added to the allowed list of outgoing IP addresses.

  • If the NFS Client rule set is enabled, the state of the rule set and the allowed IP address policy are not changed. The IP address of the NFS server is added to the allowed list of outgoing IP addresses.

When you remove or unmount an NFS datastore, ESXi performs one of the following actions.

  • If ESXi is mounted on any NFS datastore, the IP address of the unmounted NFS server is removed from the list of allowed outgoing IP addresses and the NFS Client rule set remains enabled.

  • If ESXi is not mounted on any NFS datastore, the IP address of the unmounted NFS server is removed from the list of allowed outgoing IP addresses and the NFS Client rule set is disabled.

Note:

If you manually enable the NFS Client rule set or manually set the Allow All IP Addresses policy, either before or after you add an NFS datastore to the system, your settings are overridden when the last NFS datastore is unmounted. The NFS Client rule set is disabled when all NFS datastores are unmounted.