ESXi includes a firewall that is enabled by default. At installation time, the ESXi firewall is configured to block incoming and outgoing traffic, except traffic for services that are enabled in the security profile of the host. You manage the firewall using the vSphere Client, the CLI, and the API.
As you open ports on the firewall, consider that unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to enable access only from authorized networks.
You can manage ESXi firewall ports as follows:
- Use vSphere Client. See Manage ESXi Firewall Settings. for each host in the
- Use ESXCLI commands from the command line or in scripts. See Using ESXCLI Firewall Commands to Configure ESXi Behavior.
- Use a custom VIB if the port you want to open is not included in the security profile.
To install the custom VIB, you have to change the acceptance level of the ESXi host to CommunitySupported.
Note: If you engage VMware Technical Support to investigate a problem on an ESXi host with a CommunitySupported VIB installed, VMware Support can request you to uninstall this VIB. Such a request is a troubleshooting step to determine if that VIB is related to the problem being investigated.
The behavior of the NFS Client rule set (nfsClient) is different from other rule sets. When the NFS Client rule set is enabled, all outbound TCP ports are open for the destination hosts in the list of allowed IP addresses. See NFS Client Firewall Behavior for more information.
Manage ESXi Firewall Settings
You can configure incoming and outgoing firewall connections for a service or a management agent from the vSphere Client or at the command line.
This task describes how to use the vSphere Client to configure ESXi firewall settings. You can use the ESXi Shell or ESXCLI commands to configure ESXi at the command line to automate the firewall configuration. See Using ESXCLI Firewall Commands to Configure ESXi Behavior for examples of using ESXCLI to manipulate firewalls and firewall rules.
Procedure
Add Allowed IP Addresses for an ESXi Host
By default, the firewall for each service allows access to all IP addresses. To restrict traffic, change each service to allow traffic only from your management subnet. You can also deselect some services if your environment does not use them.
To update the Allowed IP list for a service you can use the vSphere Client, ESXCLI, or PowerCLI. This task describes how to use the vSphere Client. See the topic titled "Manage the ESXi Firewall" in the ESXCLI Concepts and Examples documentation for instructions on using ESXCLI.
Procedure
Incoming and Outgoing Firewall Ports for ESXi Hosts
Open and close firewall ports for each service by using either the vSphere Client or the VMware Host Client.
ESXi includes a firewall that is enabled by default. At installation time, the ESXi firewall is configured to block incoming and outgoing traffic, except traffic for services that are enabled in the host's security profile. For the list of supported ports and protocols in the ESXi firewall, see the VMware Ports and Protocols Tool™ at https://ports.vmware.com/.
The VMware Ports and Protocols Tool lists port information for services that are installed by default. If you install other VIBs on your host, additional services and firewall ports might become available. The information is primarily for services that are visible in the vSphere Client but the VMware Ports and Protocols Tool includes some other ports as well.
NFS Client Firewall Behavior
The NFS Client firewall rule set behaves differently than other ESXi firewall rule sets. ESXi configures NFS Client settings when you mount or unmount an NFS datastore. The behavior differs for different versions of NFS.
When you add, mount, or unmount an NFS datastore, the resulting behavior depends on the version of NFS.
NFS v3 Firewall Behavior
When you add or mount an NFS v3 datastore, ESXi checks the state of the NFS Client (nfsClient) firewall rule set.
- If the nfsClient rule set is deactivated, ESXi activates the rule set and deactivates the Allow All IP Addresses policy by setting the allowedAll flag to FALSE. The IP address of the NFS server is added to the allowed list of outgoing IP addresses.
- If the nfsClient rule set is activated, the state of the rule set and the allowed IP address policy are not changed. The IP address of the NFS server is added to the allowed list of outgoing IP addresses.
When you remove or unmount an NFS v3 datastore, ESXi performs one of the following actions.
- If none of the remaining NFS v3 datastores are mounted from the server of the datastore being unmounted, ESXi removes the server's IP address from the list of outgoing IP addresses.
- If no mounted NFS v3 datastores remain after the unmount operation, ESXi deactivates the nfsClient firewall rule set.
NFS v4.1 Firewall Behavior
When you mount the first NFS v4.1 datastore, ESXi activates the nfs41client rule set and sets its allowedAll flag to TRUE. This action opens port 2049 for all IP addresses. Unmounting an NFS v4.1 datastore does not affect the firewall state. That is, the first NFS v4.1 mount opens port 2049 and that port remains activated unless you close it explicitly.
Using ESXCLI Firewall Commands to Configure ESXi Behavior
If your environment includes multiple ESXi hosts, automate firewall configuration by using ESXCLI commands or the vSphere Web Services SDK.
Firewall Command Reference
You can use the ESXi Shell or ESXCLI commands to configure ESXi at the command line to automate a firewall configuration. To manipulate firewalls and firewall rules, see Getting Started with ESXCLI for an introduction, and ESXCLI Concepts and Examples for examples of using ESXCLI.
In ESXi 7.0 and later, access to the service.xml
file, used to create custom firewall rules, is restricted. See VMware Knowledge Base article 2008226 for information about creating custom firewall rules using the /etc/rc.local.d/local.sh
file.
Command | Description |
---|---|
esxcli network firewall get | Return the status of the firewall and list the default actions. |
esxcli network firewall set --default-action | Set to true to set the default action to pass. Set to false to set the default action to drop. |
esxcli network firewall set --enabled | Activate or deactivate the ESXi firewall. |
esxcli network firewall load | Load the firewall module and the rule set configuration files. |
esxcli network firewall refresh | Refresh the firewall configuration by reading the rule set files if the firewall module is loaded. |
esxcli network firewall unload | Destroy filters and unload the firewall module. |
esxcli network firewall ruleset list | List rule sets information. |
esxcli network firewall ruleset set --allowed-all | Set to true to allow all access to all IPs. Set to false to use a list of allowed IP addresses. |
esxcli network firewall ruleset set --enabled --ruleset-id=<string> | Set enabled to true to activate the specified ruleset. Set enabled to false to deactivate the specified ruleset. |
esxcli network firewall ruleset allowedip list | List the allowed IP addresses of the specified rule set. |
esxcli network firewall ruleset allowedip add | Allow access to the rule set from the specified IP address or range of IP addresses. |
esxcli network firewall ruleset allowedip remove | Remove access to the rule set from the specified IP address or range of IP addresses. |
esxcli network firewall ruleset rule list | List the rules of each ruleset in the firewall. |