Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

About the ESXi 5.x and 6.0 firewall (2005284)

Purpose

This article provides information about the Firewall feature introduced in VMware vSphere ESXi 5.0 and later, which provides a new access control capability for ESXi.

Resolution

These are important points about the ESXi 5.x firewall:

  • ESXi 5.0 has a new firewall engine that is not based on iptables.
  • The firewall is enabled by default and allows Internet Control Message Protocol (ICMP) pings and communication with DHCP and DNS (UDP only) clients.
  • The UI for configuring the firewall on ESXi 5.x and 6.0 is similar to that used to configure the ESX firewall.
  • The firewall is service oriented.
  • You have the ability to restrict access to specific services based on IP address/Subnet Mask.
  • There is Host Profile support for the ESXi 5.x and 6.0 firewall.
  • If you upgrade from ESX to ESXi 5.x, firewall settings are preserved.
A new esxcli interface named esxcfg-firewall is available in ESXi 5.x. This table summarizes the commands available in this interface:
 
CommandDescription
esxcli network firewall getReturns the enabled or disabled status of the firewall and lists default actions.
esxcli network firewall set --default-actionUpdate default actions.
esxcli network firewall set --enabledSet to true to enable the firewall, set to false to disable the firewall.
esxcli network firewall loadLoad the firewall module and rule set configuration files.
esxcli network firewall refreshRefresh the firewall configuration by reading the rule set files if the firewall module is loaded.
esxcli network firewall unloadDestroy filters and unload the firewall module.
esxcli network firewall ruleset listList rule sets information.
esxcli network firewall ruleset set --allowedallSet the allowedall flag.
esxcli network firewall ruleset set --enabledEnable or disable the specified rule set.
esxcli network firewall ruleset allowedip listList the allowed IP addresses of the specified rule set.
esxcli network firewall ruleset allowedip addAllow access to the rule set from the specified IP address or range of IP addresses.
esxcli network firewall ruleset allowedip removeRemove access to the rule set from the specified IP address or range of IP addresses.
 
For example:

To enable the sshClient firewall ruleset:

esxcli network firewall ruleset set --enabled false --ruleset-id=sshClient

Additional Information

For more information about the ESXi 5.0 firewall, see the vSphere Security Guide.

The firewall remains loaded, even when disabled. For example:

Firewall enabled:

# esxcli network firewall set --enabled true
# esxcli network firewall get
Default Action: DROP
Enabled: true
Loaded: true

Firewall disabled:

# esxcli network firewall set --enabled false
# esxcli network firewall get
Default Action: DROP
Enabled: false
Loaded: true

See Also

Update History

10/16/2012 - Added ESXi 5.1 and vCenter Server 5.1 to Products 04/15/2014 - Added ESXi 5.5 and vCenter Server 5.5 to Products 06/04/2015 - Added 6.0 products.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 31 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 31 Ratings
Actions
KB: