Support > Knowledge Base
Knowledge Base
Search the Knowledge Base: |
Search the Knowledge Base: |
Troubleshooting the firewall policy on an ESX Server
Purpose
Resolution
Validating if the ESX Server firewall policy is too restrictive
In a default installation of ESX Server 3, VMware has provided a firewall to secure the ESX Server service console. By default it blocks incoming and outgoing communication for everything but essential system services used by your ESX Server. Communication to and from the server may be interrupted if the firewall policy has become corrupt.
To validate the ESX Server firewall policy is to restrictive:
-
Log in to your ESX Server as root from either an SSH session or directly from the console of the server.
-
Stop the firewall, run:
service firewall stop
This stops the firewall and all traffic is allowed to and from the ESX Server. The following appears on the screen:
[root@server]# service firewall stop
Stopping firewall [ OK ]
[root@server]#
Stopping firewall [ OK ]
[root@server]#
Verify that your problem still exists after stopping the firewall. If the task fails than the ESX Server firewall is not the problem. If it completes successfully than the ESX Server firewall policy is either corrupted or the ports have not been opened properly to allow communication. For more information on this, see Resetting the ESX Server firewall policy below.
To restart the ESX Server firewall after you have completed the validation:
-
Log in to your ESX Server as root from either an SSH session or directly from the console of the server.
-
Start the firewall, run:
service firewall start
-
Disconnect from the ESX Server, run:
logout
When you start the service, the following appears on the screen:
[root@server]# service firewall start
Starting firewall [ OK ]
[root@server]#
Starting firewall [ OK ]
[root@server]#
Resetting the ESX Server firewall policy
Resetting the ESX Server firewall policy resets the rules to the default state. Resetting firewall policies is useful for troubleshooting problems with misconfiguration or corrupt configuration of the ESX Server firewall.
Caution: All customizations to the firewall policy are lost when you reset the ESX Server firewall policy. For more information on customizing the firewall rules, see the section "Service Console Firewall Configuration" in the ESX Server Configuration Guides:
-
ESX Server 3.0.x documentation as HTML or PDF page 239.
-
ESX Server 3.5.x documentation as HTML or PDF page 229.
To reset the ESX Server firewall policy:
- Log in to your ESX Server as root from either an SSH session or directly from the console of the server.
-
Reset the firewall, run:
esxcfg-firewall -r
Note: There is no output to the screen.
-
Restart the firewall when returned to the prompt, run:
service firewall restart
The following appears on the screen:
[root@server]# service firewall restart
Stopping firewall [ OK ]
Starting firewall [ OK ]
[root@server]#
Additional Information
There is a known issue with ESX Server 3.0.x where if there are any files other than the service.xml file located in the /etc/vmware/firewall directory the ESX Server Management service (vmware-hostd) fails. If this is the case move all other files to a different directory and restart the firewall service followed by the ESX Server Management service. This issue has been resolved in ESX Server 3.5.0 and above.
Feedback
Actions
- KB Article: 1003634
- Updated: Aug 14, 2009
- Products:
VMware ESX - Product Versions:
VMware ESX 3.0.x
VMware ESX 3.5.x