VMware Cloud Community
henrydenhengst
Contributor
Contributor
Jump to solution

ports in VI3.5

I notice that ports used by VI3.5 slidely differ from the onces used at VI3.X.

Can somebody give me a list of the ports used at VI3.5 and their purpose.

Thank you!

Reply
0 Kudos
1 Solution
4 Replies
weinstein5
Immortal
Immortal
Jump to solution

Check out page 183 of - list all the ports necessary for management access -

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
Reply
0 Kudos
Texiwill
Leadership
Leadership
Jump to solution

Hello,

Almost everything has moved to reverse proxy so in essence you may be able to get away with NTP, SSH, and HTTPS only available. As of ESX v3.5 Update 2, port 902 for example is not necessary to be open on your esx firewall.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/

Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
henrydenhengst
Contributor
Contributor
Jump to solution

The VMware Network Communications ESX3.5 and VC2.5 is not correct by the defaults of the standard ESX firewall settings (iptables -L) which show that the License Server TCP ports 27000 and 27010 are only allowed for outgoing traffic.

So the arrows should point ONLY out to the License Server NOT both ways.

If you want to test this try to NMAP to a ESX server: nmap -sT -p 27000,27010

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )

Interesting ports on xxxxxxxxxxxxxx (xxx.xxx.xxx.xxx):

Port State Service

27000/tcp filtered unknown

27010/tcp filtered unknown

These are the standard results of iptables -L from the ESX service console

Chain INPUT (policy DROP)

target prot opt source destination

ACCEPT all -- anywhere anywhere

valid-tcp-flags tcp -- anywhere anywhere

valid-source-address !udp -- anywhere anywhere

valid-source-address-udp udp -- anywhere anywhere

valid-source-address tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN

icmp-in icmp -- anywhere anywhere

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

ACCEPT tcp -- anywhere anywhere tcp dpt:vmware-authd state NEW

ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW

ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW

ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc

ACCEPT udp -- anywhere anywhere udp dpt:svrloc

ACCEPT tcp -- anywhere anywhere tcp dpt:svrloc state NEW

ACCEPT tcp -- anywhere anywhere tcp dpt:5989 state NEW

ACCEPT udp -- anywhere anywhere udp dpt:snmp

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW

ACCEPT tcp -- anywhere anywhere tcp dpt:5988 state NEW

ACCEPT tcp -- anywhere anywhere tcp dpt:2301

ACCEPT tcp -- anywhere anywhere tcp dpt:2381

Chain FORWARD (policy DROP)

target prot opt source destination

Chain OUTPUT (policy DROP)

target prot opt source destination

ACCEPT all -- anywhere anywhere

valid-tcp-flags tcp -- anywhere anywhere

icmp-out icmp -- anywhere anywhere

ACCEPT udp -- anywhere anywhere udp spts:1024:65535 dpt:domain

ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:domain

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

ACCEPT tcp -- anywhere anywhere tcp dpt:vmware-authd state NEW

ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc

ACCEPT udp -- anywhere anywhere udp spt:svrloc

ACCEPT tcp -- anywhere anywhere tcp spt:svrloc state NEW

ACCEPT udp -- anywhere anywhere udp dpt:ntp

ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW

ACCEPT tcp -- anywhere anywhere tcp dpt:vmware-authd state NEW

ACCEPT udp -- anywhere anywhere udp dpt:snmptrap

ACCEPT udp -- anywhere anywhere udp dpt:902 state NEW

ACCEPT tcp -- anywhere anywhere tcp dpt:27000 state NEW

ACCEPT tcp -- anywhere anywhere tcp dpt:27010 state NEW

ACCEPT tcp -- anywhere anywhere tcp dpt:402

ACCEPT tcp -- anywhere anywhere tcp dpt:280

ACCEPT tcp -- anywhere anywhere tcp dpt:4300

REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain icmp-in (1 references)

target prot opt source destination

ACCEPT icmp -- anywhere anywhere icmp echo-reply

ACCEPT icmp -- anywhere anywhere icmp echo-request

ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed

DROP all -- anywhere anywhere

Chain icmp-out (1 references)

target prot opt source destination

ACCEPT icmp -- anywhere anywhere icmp echo-request

ACCEPT icmp -- anywhere anywhere icmp echo-reply

DROP all -- anywhere anywhere

Chain log-and-drop (7 references)

target prot opt source destination

LOG all -- anywhere anywhere LOG level debug tcp-options ip-options

DROP all -- anywhere anywhere

Chain valid-source-address (2 references)

target prot opt source destination

DROP all -- localhost.localdomain anywhere

DROP all -- 0.0.0.0/8 anywhere

DROP all -- anywhere 255.255.255.255

Chain valid-source-address-udp (1 references)

target prot opt source destination

DROP all -- localhost.localdomain anywhere

DROP all -- 0.0.0.0/8 anywhere

Chain valid-tcp-flags (2 references)

target prot opt source destination

log-and-drop tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE

log-and-drop tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN

log-and-drop tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH

log-and-drop tcp -- anywhere anywhere tcp flags:ACK,URG/URG

log-and-drop tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN

log-and-drop tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST

log-and-drop tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST

Reply
0 Kudos