Info Sharing Blog

Wednesday, July 8, 2020

ESXi 6.x Custom Firewall Ruleset Creation

July 08, 2020 Posted by jaacostan , , , ,

As you may all know, the ESXi host comes with an inbuild firewall similar to firewalld in Linux or Windows inbuilt Firewall and the ESXi firewall is enabled by default.

You can configure incoming and outgoing firewall connections for a service or a management agent from the vSphere Client or at the command line. But to define a custom firewall port for a service needs to be performed at the command line.

This article will help you to create a custom firewall ruleset in ESXi 6.x for any service. Here we take an Example of Syslog. You can refer the below article to know how to configure the syslog in ESXi which leverage the default syslog ports (TCP/UDP 514, 1514) as seen below.

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.esxi.upgrade.doc/GUID-9F67DB52-F469-451F-B6C8-DAE8D95976E7.html


-- Important point to remember that once you specify a custom port number in the above config, the logs will not be sent via the port until you create the ESXi custom firewall rule set.

 Syslog Service


Default Firewall Rule set for Syslog

Note- Each ESXi Service is tied to a firewall rule-set and when the service is started the rule-set gets enabled by default and there is no option in GUI to change the default Ports in the firewall rule set.

Why would you want to configure custom port??

It depends on several factors such as Security requirements or Syslog Log Collection Server requirements etc.

 
Set the syslog details in ESXi before creating the customer rule-set for it.

We can set the syslog details either via GUI (syslog.global.loghost) or command line as below:

In the above example, we use the port UDP 22222 as the custom port for syslog and syslog server IP as 192.168.5.5

Note:

*The Port has to be configured & listening in the destination server

*The Port has to be Allowed in the Network Firewall (if any)

To Set a Custom firewall Rule Set

Few important ESXi firewall commands can be found in the reference link listed at the last.

1.      Login to and browse to the ESXi firewall configuration location and perform a backup of the config.

$ cd /etc/vmware/firewall/

$ cp service.xml service.xml.bak        

      -- service.xml is the firewall config file

2.      No changes are allowed to the “service.xml” file by default only Read access. To enable access permissions, perform the below commands.

$ chmod 644 /etc/vmware/firewall/service.xml    -- To enable write Access

$ chmod +t /etc/vmware/firewall/service.xml       -- To toggle the sticky bit flag (This ensures only the file owner (root) user can modify the file permissions)

Above shows “Operation not permitted” Error, because by default the Firewall is Enabled and Loaded. Hence, disable and unload the firewall first as per Step 3 and perform step 2 again.

3.      To Disable the Firewall & Unload, run below

            $ esxcli network firewall set --enabled false

$ esxcli network firewall unload

4.      Perform Step 2 again to enable write permission to the file.

5.      Open the File in VI Editor to add the custom Rule set. Press “i” to insert and scroll to the bottom to add the new rule set.

6.      Add the below at the bottom of the configuration and save the file.

  <service id="increment the service id by 1 of the last entry">                

    <id>CustomSyslog</id>     

    <rule id='0000'>          

      <direction>outbound</direction>

      <protocol>udp</protocol>

      <porttype>dst</porttype>

      <port>22222</port>      

    </rule> 

    <enabled>true</enabled>

    <required>true</required>

  </service>          



Once saved, change back the permissions for the file to read only

$ chmod 444 /etc/vmware/firewall/service.xml

$ chmod -t /etc/vmware/firewall/service.xml

8.      Then Load the firewall and enable it.

$ esxcli network firewall load

$ esxcli network firewall set --enabled true

$ esxcli network firewall refresh

9.      You can view the new custom RuleSet created in the Firewall list in Gui and command-line as below:

 $ esxcli network firewall get

       $ esxcli network firewall ruleset list | grep -I “syslog”

You will see the new Custom Rule set named “CustomSyslog” is added with outgoing port set to UDP 22222

 Note: This article is written based on ESXi version 6.x


Reference

https://kb.vmware.com/s/article/2008226  

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.esxi.upgrade.doc/GUID-9F67DB52-F469-451F-B6C8-DAE8D95976E7.html

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-8912DD42-C6EA-4299-9B10-5F3AEA52C605.html

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-7A8BEFC8-BF86-49B5-AE2D-E400AAD81BA3.html#GUID-7A8BEFC8-BF86-49B5-AE2D-E400AAD81BA3

https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.troubleshooting.doc%2FGUID-54AFB94B-75DE-4895-B1BF-EE498F92B717.html