Note: the resolution described below is not applicable to ESXi 7.0 and beyond.
By default, there is a set of predefined firewall rules that can be enabled/disabled for the ESXi host from the vSphere Client.
These firewall services can be enabled/disabled for the defined ports (UDP/TCP) from the vSphere Client. However, if you need to enable the service on a protocol that is not defined, you must create new firewall rules from the command line.
For example, the DNS Client service can be enabled/disabled only on UDP port 53.
To enable DNS for TCP:
- Open an SSH connection to the host. For more information, see Using ESXi Shell in ESXi 5.0 and 6.0 (2004746).
- List the firewall rules by running the command:
# esxcli network firewall ruleset list
Name Enabled
-------------- -----------------
sshServer true
sshClient false
nfsClient true
dhcp true
dns true
snmp true
ntpClient false
CIMHttpServer true
CIMHttpsServer true
CIMSLP true
iSCSI true
Note: On the vSphere Client, the DNS service is open on port 53 for UDP only.
To enable the DNS service on port 53 for TCP:
- Back up the /etc/vmware/firewall/service.xml file by running the command:
# cp /etc/vmware/firewall/service.xml /etc/vmware/firewall/service.xml.bak - Modify the access permissions of the service.xml file to allow writes by running the chmod command:
To allow writes:
# chmod 644 /etc/vmware/firewall/service.xml
To toggle the sticky bit flag:
# chmod +t /etc/vmware/firewall/service.xml - Open the service.xml file in a text editor.
- Add this rule to the service.xml file:
<service id="0032">
<id>DNSTCPOut</id>
<rule id='0000'>
<direction>outbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>53</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
Rule set configuration file example:
<ConfigRoot>
<service id='0000'>
<id>serviceName</id>
<rule id = '0000'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>80</port>
</rule>
<rule id='0001'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>src</porttype>
<port>
<begin>1020</begin>
<end>1050</end>
</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
</ConfigRoot>
For more information, see the Rule Set Configuration Files section of the vSphere 5.0 Security Guide.
5. Revert the access permissions of the service.xml file to the read-only default by running the command:
# chmod 444 /etc/vmware/firewall/service.xml
Note: In case the sticky bit flag gets removed after running the above command it can be toggled again using:
#chmod +t /etc/vmware/firewall/service.xml
- Refresh the firewall rules for the changes to take effect by running the command:
# esxcli network firewall refresh
or
# localcli network firewall refresh
Note: This setting does not persist after a reboot. To make it persist, see Changing the port used by SSH on an ESXi 5.0 host (2011818). With ESXi 5.1.x, changes to the existing service.xml file is persistent after reboot.
- List the rules again to confirm by running the command:
# esxcli network firewall ruleset list
Name Enabled
-------------- -----------------
sshServer true
sshClient false
nfsClient true
dhcp true
dns true
snmp true
ntpClient false
CIMHttpServer true
CIMHttpsServer true
CIMSLP true
iSCSI true
DNSTCPOut true
Notes:
- The new DNSTCPOut firewall rule allows outgoing connections on TCP port 53. New firewall rules and services are also viewable under the Host Configuration section in Security Profile using the vSphere Client.
- ESXi 5.0 Update 1 (build 623860) has a built-in outbound DNS Client running on port 53 (TCP/UDP), which is enabled by default. No action is required to configure DNS client if you are using ESXi 5.0 Update 1.
Workaround:
Prior to ESXi 7.0, you can use the following as a workaround to make changes to the service.xml file persist after reboot:
- Copy the file to a datastore on the host.
- Make the required changes to the file
- In the /etc/rc.local.d/local.sh file add the command to copy and replace the file needed.
- In order to force this command to persist across reboots of the ESXi server host, the command has to be added manually to the /etc/rc.local.d/local.sh file on the ESXi server.
For ESXi 7.0 and beyond: With the security changes implemented in vSphere 7.0 (reference KB
https://kb.vmware.com/s/article/78689) the only supported way to open up ports is through a partner-created VIB to open the ports or change the files needed.