If your environment includes multiple ESXi hosts, automating firewall configuration by using ESXCLI commands or the vSphere Web Services SDK is recommended.
Firewall Command Reference
You can use the ESXi Shell or vSphere CLI commands to configure ESXi at the command line to automate firewall configuration. See Getting Started with vSphere Command-Line Interfaces for an introduction, and vSphere Command-Line Interface Concepts and Examples for examples of using ESXCLI to manipulate firewalls and firewall rules. See VMware Knowledge Base article 2008226 for information about creating custom firewall rules.
| Command | Description |
|---|---|
| esxcli network firewall get | Return the enabled or disabled status of the firewall and lists default actions. |
| esxcli network firewall set --default-action | Set to true to set the default action to pass. Set to false to set the default action to drop. |
| esxcli network firewall set --enabled | Enable or disable the ESXi firewall. |
| esxcli network firewall load | Load the firewall module and rule set configuration files. |
| esxcli network firewall refresh | Refresh the firewall configuration by reading the rule set files if the firewall module is loaded. |
| esxcli network firewall unload | Destroy filters and unload the firewall module. |
| esxcli network firewall ruleset list | List rule sets information. |
| esxcli network firewall ruleset set --allowed-all | Set to true to allow all access to all IPs. Set to false to use a list of allowed IP addresses. |
| esxcli network firewall ruleset set --enabled --ruleset-id=<string> | Set enabled to true to enable the specified ruleset. Set enabled to false to disable the specified ruleset. |
| esxcli network firewall ruleset allowedip list | List the allowed IP addresses of the specified rule set. |
| esxcli network firewall ruleset allowedip add | Allow access to the rule set from the specified IP address or range of IP addresses. |
| esxcli network firewall ruleset allowedip remove | Remove access to the rule set from the specified IP address or range of IP addresses. |
| esxcli network firewall ruleset rule list | List the rules of each ruleset in the firewall. |
Firewall Command Examples
The following examples are from a blog post on virtuallyGhetto.
- Verify a new ruleset called virtuallyGhetto.
esxcli network firewall ruleset rule list | grep virtuallyGhetto
- Specify specific IP Address or IP ranges to access a particular service. The following example disable the allow all option and specifies a particular range for the virtuallyGhetto service.
esxcli network firewall ruleset set --allowed-all false --ruleset-id=virtuallyGhetto esxcli network firewall ruleset allowedip add --ip-address=172.30.0.0/24 --ruleset-id=virtuallyGhetto
