When an ESXi host system is installed by default the firewall is enabled. All incoming and outgoing ports are blocked except the default TCP and UDP ports using for Management Services. The ESXi firewall protects the management interface of the ESXi host system, but provides no protection to virtual machines. By default, the following management services are open:
| Management Service | Description |
| lbtd (/sbin/net-lbtd) | Load balancing teaming for distributed switches is an operation that evaluates the uplink load |
| vpxa (/usr/lib/vmware/vpxa/bin/vpxa) | Virtual Center Agent to enable communication from the vCenter Server System to hostd service on the ESXi host system. |
| NTP Daemon (/sbin/ntpd) | Network Time Protocol Daemon to synchronise the time between the ESXi host system and either a stratum or an atomic clock over the network |
| Direct Console UI (/sbin/dcui) | Direct Console User Interface to enable the starting and stopping of the system and to perform limited setup, maintenance and troubleshooting tasks. |
| CIM Server (/bin/cimslp) | Common Interface Model interface to monitor and manage health of the manager server hardware |
In addition to the management services, by default the following ports are open for management access on the ESXi host system:
| Port | Description |
| 22 | SSH Server for incoming TCP |
| 53 | DNS client for incoming and outgoing UDP |
| 68 | DHCP client for incoming and outgoing UDP |
| 161 | SNMP server for incoming UDP |
| 80 | Fault tolerance for incoming TCP and outgoing TCP and UDP |
| 427 | CIM client SLPv2 to discover server for incoming and outgoing UDP |
| 443 | HTTPS access for incoming TCP |
| 902 | Host access and heartbeat for incoming and outgoing TCP and outgoing UDP |
| 1234, 1235 | vSphere replication for outgoing TCP |
| 5988 | CIM transactions over HTTP for incoming TCP |
| 5989 | CIM XML transactions over HTTPS for incoming and outgoing TCP |
| 8000 | vMotion requests for incoming and outgoing TCP |
| 8100, 8200 | Fault tolerance traffic for incoming and outgoing TCP and UDP |
In order to protect the management interface the ESXi host system uses firewall rulesets to allow and disallow access to the ESXi host system. The default rulesets are defined initially in the read-only ‘/etc/vmware/firewall/service.xml’ file. To retrieve a list of firewall rule sets invoke the esxcli network firewall namespace.
esxli network firewall ruleset list
In addition to the firewall rulesets, more detailed information maybe retrieved:
esxli network firewall ruleset rule list
The ESX host system firewall ports and services can be made either using the vSphere Web Client, using the esxcli command line tool or using PowerCLI.
Configuring Firewall Service Properties Using vSphere Web Client
1) Select the ESXi host system to configure the Firewall service properties.
2) Browse to Manage > Settings > Security Profile > Services and select Edit.
Configure the ESXi Firewall Properties Using vSphere Web Client
1) Select the ESXi host system to configure the Firewall properties.
2) Browse to Manage > Settings > Security Profile > Firewall and Edit.
Configure the ESXi Firewall Using PowerCLI
To retrieve information regarding the ESXi Firewall we can invoke both the Get-VMHostService and Get-VMHostFirewallException cmdlets.
1) For retrieving the status of services running on the ESXi host system, invoke the following:
Get-VMHost esxi1.dean.local | Get-VMHostService
2) To retrieve more detailed information for the incoming and outgoing service ports for each service invoke the following:
Get-VMHost esxi1.dean.local | Get-VMHostFirewallException | Where-Object {$_.Enabled}
By default, management services on the ESXi host system are enabled to provide local and remote client access and allowed through the firewall if the service ports are open. For Example, the syslog service is enabled on the ESXi host system but the firewall service ports are not allowing outbound connections. To modify the configuration using the esxcli network firewall namespace, perform the following steps.
1) Connect to the ESXi host system using an SSH client.
2) Retrieve the status of the syslog ruleset status.
esxcli network firewall ruleset list | grep syslog syslog false
3) Enable the syslog firewall service.
esxcli network firewall ruleset set -e true -r syslog
We may also disable the syslog firewall service by invoking the following using the esxcli network firewall namespace.
esxcli network firewall ruleset set -e false -r syslog
There may be certain scenarios where the you may need to add more services than those preconfigured on the ESXi host system, in order to perform this action we must create a configuration file in the directory ‘/etc/vmware/firewall’. In this example, I will configure a service named ‘DeanTestApplication’ to enable inbound connectivity on TCP service port 3210 where the default state will be disabled.
1) Connect to the ESXi host system using an SSH client.
2) Create the following file ‘/etc/vmware/firewall/deantestapplication.xml’, with the following configuration.
<! -- Firewall information for Dean Test Application -->
<ConfigRoot>
<service>
<id>DeanTestApplication</id>
<rule id='0000'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>3210</port>
</rule>
</service>
</Config>
3) Save the file and reload the firewall, which will restart the services listed for the firewall.
esxcli network firewall refresh
Once the firewall has been reloaded we can use the vSphere Web Client to confirm if the firewall service has been loaded into memory and further configure the service. Alternatively, we can confirm this form the esxcli network firewall namespace:
esxcli network firewall ruleset list | grep DeanTestApplication DeanTestApplication false
Deans Blog 