sparqy
Contributor
Contributor

Persistent firewall rule

Jump to solution

hey guys,

   I took over some ESXi servers and I noticed they were not logging correctly.  So I added the firewall rule to open port 10514 through esxcli using an article on git hub. However, when I reboot the rule disappears.  I tried added the firewall rule in a separate xml file and adding it directly to the service.xml file.  yet each time  I reboot the ESXi host the rule and the xml file is not there when it comes back up.   Is this normal behavior for the /etc/vmware/firewall/ directory or am I missing something here. Also if it is normal how do I a persistant firewall rule to allow port 10514 because all I can find in the docs is to edit the service.xml file.

Tags (1)
0 Kudos
1 Solution

Accepted Solutions
abulhol
Enthusiast
Enthusiast

I don't think setting the sticky bit solves this issue.

I rather think that you have to store the additional XML file e.g. to the datastore1 and copy it from there to /etc/vmware/firewall/ via /etc/rc.local.d/local.sh on boot.

See related KB articles:

VMware Knowledge Base

https://kb.vmware.com/s/article/2011818

Unfortunately, these posts relate to ESXI 5.0. VMware does not offer up to date info on this for ESXi 6.7.

View solution in original post

0 Kudos
10 Replies
sparqy
Contributor
Contributor

I am running the following version:

1.33.4

14093553

6.7.0

14320388

0 Kudos
T180985
Expert
Expert

You can do it via the web client, see: https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-9C6D29E6-C58D-410...

Please mark helpful or correct if my answer resolved your issue. How to post effectively on VMTN https://communities.vmware.com/people/daphnissov/blog/2018/12/05/how-to-ask-for-help-on-tech-forums
0 Kudos
sparqy
Contributor
Contributor

I am unable to change the port numbers there.  I am also not able to add a new rule via the GUI.  Thanks for the tip but it does not work in my situation. 

0 Kudos
scott28tt
VMware Employee
VMware Employee

Moderator: Please post product questions to the appropriate forum area. Moved to ESXi

0 Kudos
berndweyand
Expert
Expert

set the sticky bit on your separate xml-file - then it will be backed up and persist through reboot: chmod +t <xmlfile>

run backup manually before the first reboot: /sbin/auto-backup.sh   because backup runs only once per hour

0 Kudos
abulhol
Enthusiast
Enthusiast

I don't think setting the sticky bit solves this issue.

I rather think that you have to store the additional XML file e.g. to the datastore1 and copy it from there to /etc/vmware/firewall/ via /etc/rc.local.d/local.sh on boot.

See related KB articles:

VMware Knowledge Base

https://kb.vmware.com/s/article/2011818

Unfortunately, these posts relate to ESXI 5.0. VMware does not offer up to date info on this for ESXi 6.7.

View solution in original post

0 Kudos
sparqy
Contributor
Contributor

Hey guys,

  Sorry for the delay in getting back to you all.  So there were a lot of good ideas that I took to come up with the solution I am now using on my hosts.  If this is not the preferred VMware way then please let me know how to do it better.

1) Edit the local.sh file

  vi /etc/rc.local.d/local.sh

2) add the following lines right above "exit 0"

     Note:  change the x.x.x.x to the actual IP of your logging host

#------------------------------------------------------------------

# Start - Add MyFW firewall rules after boot and restart firewall services

#------------------------------------------------------------------

/bin/cat > /etc/vmware/firewall/MyFW_syslog.xml << EOF

<ConfigRoot>

  <service>

    <id>MyFW.SyslogPort10514</id>

    <rule id='0000'>

      <direction>outbound</direction>

      <protocol>tcp</protocol>

      <porttype>dst</porttype>

      <port>10514</port>

    </rule>

    <enabled>false</enabled>

    <required>false</required>

  </service>

</ConfigRoot>

EOF

#refresh firewall rules

esxcli network firewall refresh

# enable the outbound syslog traffic on port 10514

esxcli network firewall ruleset set  -e true -r MyFW.SyslogPort10514

# (optional) disable outbound traffic on default port

esxcli network firewall ruleset set  -e false -r syslog

# configure remote syslog host

esxcli system syslog config set --loghost tcp://x.x.x.x:10514

# reload configuration

esxcli system syslog reload

# test message

esxcli system syslog mark -s "Added MyFW rules after reboot"

#------------------------------------------------------------------

# End - Add MyFW firewall rules after boot and restart firewall services

#------------------------------------------------------------------

0 Kudos
Neutro
Enthusiast
Enthusiast

Adding a full xml file inside local.sh doesn't sound like the way it was intended to be used so you might get problems later because of that.

You should make your own VIB like this instead:

https://www.altaro.com/vmware/how-to-create-persistent-firewall-rules-on-esxi/#comment-18186

It's pretty quick to do. Use the suse DVD as repository (dont use the official internet repo as packages are too updated and the above guide doesn't work with them).

0 Kudos
sparqy
Contributor
Contributor

Neutro

Neutro,

   I agree completely with you.  I like the idea of creating the VIB instead on a production environment.  The local.sh file gets overwritten often with upgrades so it would mean another step during the process. I will give this a try and see if I can create my first VIB.  I do not know why VMware has not included a simple way to modify the firewall.  Coming from a network engineer by trade that is a major failure on their part.

sparqy

0 Kudos
scott28tt
VMware Employee
VMware Employee
0 Kudos