VMware Cloud Community
rsmclane
Contributor
Contributor

Bug with the enable/disable behavior of sshServer in the firewall

I new to the forum and not sure if this is where this goes but I don't really see a bug report area.

We run ssh on a different port here. So I opened up the port, moved the sshd service to the new port, and then, since nothing was listening on port 22 decided to esxcfg-firewall --disableService sshServer[/b] That doesn't just shut port 22 in the firewall. It also shuts down the sshd service and sets it not to start by default under any init levels. This isn't what I would expect from a firewall config change but I rolled with it. However, enabling the sshServer does not revert any of these changes. It doesn't start sshd or change the init level settings back. Further, even if you changed the init settings and started sshd, whenever you restart mgmt-vmware, it will shut down sshd again. So I just left the sshServer firewall rule enabled and set the init files back. If disabling this rule is going to shut down sshd like this, then enabling it should reverse the changes for command option symmetry.

Hopefully this helps someone else that runs across it.

Reply
0 Kudos
2 Replies
GBromage
Expert
Expert

Hi there!

What's happening does (sort-of) make sense...

esxcfg-firewall --disableService sshServer[/b]

That doesn't just shut port 22 in the firewall. It

also shuts down the sshd service and sets it not to

start by default under any init levels.

That's right - because you didn't tell it to disable the port[/i]. You told it to disable the service[/i]

If you want to change the port number associated with the service then (I think) the file you need to edit is /etc/vmware/firewall/services.xml[/b]

However, as with all such things, editing this file may affect your support from VMWare, your interaction with VirtualCenter, the file may be overritten by future patches, your girlfriend might leave you, your car will get an oil leak, etc., etc.

Hope that helps you,

Greg

I hope this information helps you. If it does, please consider awarding points with the 'Helpful' or 'Correct' buttons. If it doesn't help you, please ask for clarification!
Reply
0 Kudos
rsmclane
Contributor
Contributor

That's right - because you didn't tell it to disable the port . You told it to disable the service

Well that would make sense complete sense if I wasn't supposedly configuring the firewall. However, I can sort of see where this is coming from. I main gripe was the fact that when you enable the service, it doesn't undo any of the changes to the service, only to the firewall. It's inconsistent.

Reply
0 Kudos