When you install ESXi 5 the firewall is enabled by default, with it only allowing the essential traffic, and denying the rest. You can manage the firewall using the vSphere client, or from the CLI.
In the vSphere client the firewall settings can be accessed from the Security Profile section of the Configuration tab:
By accessing the firewall properties you can see which ports are open and which services are started:
Clicking the ‘Firewall’ button will allow you to allow connections only from specific IP addresses/ranges:
Service Automation
You can choose how to start services by clicking on the services properties:
Clicking options will allow you to change how the service starts:
You have the following options for starting services:
- Start automatically if any ports are open, and stop when all ports are closed
- Start and stop with host
- Start and stop manually (Select this to effectively disable the service)
Working with the Firewall using the GUI is fairly straight forward so, for the rest of this post I’ll focus on interacting with the ESXi firewall using the CLI.
Using ESXCLI to Configure the ESXi Firewall
With ESXi 5 the esxcfg-firewall command has been replaced by the esxcli network firewall command/namespace. You can list the current status of the firewall by running:
esxcli network firewall get
To enable and disable the firewall service we can use the following commands:
esxcli network firewall set –enabled false
esxcli network firewall set –enabled true
To list the current firewall rules you can run:
esxcli network firewall rulesset list
We can enable a rule by running
esxcli network firewall ruleset –enabled true –ruleset-id rulesetName