If your environment includes multiple ESXi hosts, automating firewall configuration by using ESXCLI commands or the vSphere Web Services SDK is recommended.

Firewall Command Reference

You can use the ESXi Shell or vSphere CLI commands to configure ESXi at the command line to automate firewall configuration. See Getting Started with vSphere Command-Line Interfaces for an introduction, and vSphere Command-Line Interface Concepts and Examples for examples of using ESXCLI to manipulate firewalls and firewall rules.

Table 1. Firewall Commands

Command

Description

esxcli network firewall get

Return the enabled or disabled status of the firewall and lists default actions.

esxcli network firewall set --default-action

Set to true to set the default action to pass. Set to false to set the default action to drop.

esxcli network firewall set --enabled

Enable or disable the ESXi firewall.

esxcli network firewall load

Load the firewall module and rule set configuration files.

esxcli network firewall refresh

Refresh the firewall configuration by reading the rule set files if the firewall module is loaded.

esxcli network firewall unload

Destroy filters and unload the firewall module.

esxcli network firewall ruleset list

List rule sets information.

esxcli network firewall ruleset set --allowed-all

Set to true to allow all access to all IPs. Set to false to use a list of allowed IP addresses.

esxcli network firewall ruleset set --enabled --ruleset-id=<string>

Set enabled to true to enable the specified ruleset. Set enabled to false to disable the specified ruleset.

esxcli network firewall ruleset allowedip list

List the allowed IP addresses of the specified rule set.

esxcli network firewall ruleset allowedip add

Allow access to the rule set from the specified IP address or range of IP addresses.

esxcli network firewall ruleset allowedip remove

Remove access to the rule set from the specified IP address or range of IP addresses.

esxcli network firewall ruleset rule list

List the rules of each ruleset in the firewall.

Firewall Command Examples

The following examples are from a blog post on virtuallyGhetto.

  1. Verify a new ruleset called virtuallyGhetto.

    esxcli network firewall ruleset rule list | grep virtuallyGhetto

  2. Specify specific IP Address or IP ranges to access a particular service. The following example disable the allow all option and specifies a particular range for the virtuallyGhetto service.

    esxcli network firewall ruleset set --allowed-all false --ruleset-id=virtuallyGhetto
    esxcli network firewall ruleset allowedip add --ip-address=172.30.0.0/24 --ruleset-id=virtuallyGhetto