ESXi includes a firewall that is enabled by default.
At installation time, the ESXi firewall is configured to block incoming and outgoing traffic, except traffic for services that are enabled in the host's security profile.
How to disable ESXi firewall. 23 January, 2013. For a project I had to disable the ESXi firewall on a host permanently. To be honest, it isn’t something I would do normally or would recommend even. It wasn’t listed in “chkconfig”, which kinda makes sense, so I looked at the networking section of esxcli. What an awesome command by the way! If your environment includes multiple ESXi hosts, automating firewall configuration by using ESXCLI commands or the vSphere Web Services SDK is recommended. Firewall Command Reference. You can use the ESXi Shell or vSphere CLI commands to configure ESXi at the command line to automate firewall configuration. See Getting Started with vSphere Command-Line Interfaces for an introduction,.
As you open ports on the firewall, consider that unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to enable access only from authorized networks.
Note: The firewall also allows Internet Control Message Protocol (ICMP) pings and communication with DHCP and DNS (UDP only) clients.
You can manage ESXi firewall ports as follows:
Use Configure > Firewall for each host in the vSphere Client. See Manage ESXi Firewall Settings.
Use ESXCLI commands from the command line or in scripts. See ESXi ESXCLI Firewall Commands.
Use a custom VIB if the port you want to open is not included in the security profile.
You create custom VIBs with the VIB Author tool available from VMware Labs. To install the custom VIB, you have to change the acceptance level of the ESXi host to CommunitySupported. See VMware Knowledge Base Article 2007381.
Note: If you engage VMware Technical Support to investigate a problem on an ESXi host with a CommunitySupported VIB installed, VMware Support might request you to uninstall this VIB. Such a request is a troubleshooting step to determine if that VIB is related to the problem being investigated.
The behavior of the NFS Client rule set (nfsClient) is different from other rule sets. When the NFS Client rule set is enabled, all outbound TCP ports are open for the destination hosts in the list of allowed IP addresses. See NFS Client Firewall Behavior for more information.
For a project I had to disable the ESXi firewall on a host permanently. To be honest, it isn’t something I would do normally or would recommend even. It wasn’t listed in “chkconfig”, which kinda makes sense, so I looked at the networking section of esxcli. What an awesome command by the way! Quickly after “tab’ing” through esxcli I figured out how to disable it permanently:
esxcli network firewall set --enabled false
I figured I would write it down, because this is the stuff I tend to forget easily.
PS: If you ever need anything around esxcli, the vSphere Blog is a good place to check as most of the relevant posts are tagged with “esxcli”.