ESXi includes a firewall between the management interface and the network. The firewall is enabled by default. At installation time, the ESXi firewall is configured to block incoming and outgoing traffic, except traffic for the default services, such as NFS.
Supported services, including NFS, are described in a rule set configuration file in the ESXi firewall directory /etc/vmware/firewall/. The file contains firewall rules and their relationships with ports and protocols.
The behavior of the NFS Client rule set (nfsClient) is different from other rule sets.
For more information about firewall configurations, see the vSphere Security documentation.