Search the VMware Knowledge Base (KB)
View by Article ID

Creating custom firewall rules in VMware ESXi 5.x (2008226)

  • 35 Ratings


There is a defined set of firewall rules for ESXi 5.x for Incoming and Outgoing connections on either TCP, UDP, or both.
You may be required to open the firewall for the defined port on TCP or UDP that is not defined by default in Firewall Properties under Configuration > Security Profile on the vSphere Client.


This article provides instructions on creating custom firewall rules in ESXi 5.x via the command line.

Note: Custom firewall rules can be created only for those ports that are defined by default in the Firewall Properties under Security Profile on the vSphere Client.


By default, there is a set of predefined firewall rules that can be enabled/disabled for the ESXi host from the vSphere Client.

These firewall services can be enabled/disabled for the defined ports (UDP/TCP) from the vSphere Client. However, if you need to enable the service on a protocol that is not defined, you must create new firewall rules from the command line.

For example, the DNS Client service can be enabled/disabled only on UDP port 53.

To enable DNS for TCP:

  1. Open an SSH connection to the host. For more information, see Using ESXi Shell in ESXi 5.0 and 6.0 (2004746).

  2. List the firewall rules by running the command:

    # esxcli network firewall ruleset list
    Name            Enabled
    --------------  -----------------
    sshServer       true
    sshClient       false
    nfsClient       true
    dhcp            true
    dns             true
    snmp            true
    ntpClient       false
    CIMHttpServer   true
    CIMHttpsServer  true
    CIMSLP          true
    iSCSI           true

    Note: On the vSphere Client, the DNS service is open on port 53 for UDP only.

To enable the DNS service on port 53 for TCP:

  1. Back up the /etc/vmware/firewall/service.xml file by running the command:

    # cp /etc/vmware/firewall/service.xml /etc/vmware/firewall/service.xml.bak

  2. Modify the access permissions of the service.xml file to allow writes by running the chmod command:

    To allow writes:

    # chmod 644 /etc/vmware/firewall/service.xml

    To toggle the sticky bit flag:

    # chmod +t /etc/vmware/firewall/service.xml

  3. Open the service.xml file in a text editor.

  4. Add this rule to the service.xml file:

    <service id="0032">
    <rule id='0000'>

    Rule set configuration file example:

    <service id='0000'>
    <rule id = '0000'>
    <rule id='0001'>

    For more information, see the Rule Set Configuration Files section of the vSphere 5.0 Security Guide.

  5. Revert the access permissions of the service.xml file to the read-only default by running the command:

    # chmod 444 /etc/vmware/firewall/service.xml

  6. Refresh the firewall rules for the changes to take effect by running the command:

    # esxcli network firewall refresh


    # localcli network firewall refresh

    Note: This setting does not persist after a reboot. To make it persist, see Changing the port used by SSH on an ESXi 5.0 host (2011818). With ESXi 5.1.x, changes to the existing service.xml file is persistent after reboot.

  7. List the rules again to confirm by running the command:

    # esxcli network firewall ruleset list

    Name            Enabled
    --------------  -----------------
    sshServer       true
    sshClient       false
    nfsClient       true
    dhcp            true
    dns             true
    snmp            true
    ntpClient       false
    CIMHttpServer   true
    CIMHttpsServer  true
    CIMSLP          true
    iSCSI           true
    DNSTCPOut       true

  • The new DNSTCPOut firewall rule allows outgoing connections on TCP port 53. New firewall rules and services are also viewable under the Host Configuration section in Security Profile using the vSphere Client.
  • ESXi 5.0 Update 1 (build 623860) has a built-in outbound DNS Client running on port 53 (TCP/UDP), which is enabled by default. No action is required to configure DNS client if you are using ESXi 5.0 Update 1.

Additional Information

For more information on modifying file access permissions, see the chmod Wikipedia page.

See Also

Update History

06/26/2012 - Added link to the vSphere Security guide

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.


  • 35 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)

Please enter the Captcha code before clicking Submit.
  • 35 Ratings