An often made mistake when trying to open up or close a port range with the ESX(3.0.2 and 3.5) firewall is using the dash(-) as a divider. Using the dash unfortunately does not always result in an error. To open up or close a port range you should use a collon(:) as a divider:
esxcfg-firewall –openport 6000:6010,tcp,in,test
Normally using a dash as a divider should result in following error:
[root@server1 /]# esxcfg-firewall -o 7000-7010,tcp,in,test
2007-12-26 20:54:52 (6842) ERROR: ‘iptables /sbin/iptables -A INPUT -p tcp –dport 7000-7010 -j ACCEPT’ failed
2007-12-26 20:54:52 (6842) ERROR: Panic! Stack trace follows:
2007-12-26 20:54:52 (6842) ERROR: VMware::Panic VMware::Panic::DumpStackTrace in /usr/lib/vmware/esx-perl/perl5/site_perl/5.8.0/VMware/Panic.pm line 59
2007-12-26 20:54:52 (6842) ERROR: main VMware::Panic::Panic in /usr/sbin/esxcfg-firewall line 661
2007-12-26 20:54:52 (6842) ERROR: main main::IpTables in /usr/sbin/esxcfg-firewall line 492
2007-12-26 20:54:52 (6842) ERROR: main main::FWAddCustomPorts in /usr/sbin/esxcfg-firewall line 545
2007-12-26 20:54:52 (6842) ERROR: main main::FWLoad in /usr/sbin/esxcfg-firewall line 1039
2007-12-26 20:54:52 (6842) ERROR: Getopt::Long main::OpenPort in /usr/lib/perl5/5.8.0/Getopt/Long.pm line 478
2007-12-26 20:54:52 (6842) ERROR: Getopt::Long (eval) in /usr/lib/perl5/5.8.0/Getopt/Long.pm line 477
2007-12-26 20:54:52 (6842) ERROR: main Getopt::Long::GetOptions in /usr/sbin/esxcfg-firewall line 1131
2007-12-26 20:54:52 (6842) ERROR: Making panic callbacks…
2007-12-26 20:54:52 (6842) ERROR: Done, exiting with code -19. Goodbye!
The weird thing is that when you query the firewall it says the port range is open but when you restart the firewall service it will result in the same error again. It seems that iptables isn’t fond of the dash and esxcfg-firewall doesn’t convert it or blocks the port range of being submitted to iptables.
Another option, especially when there are a ton of ports to open would be to add a new service. I had to do this when testing out ESX 3.5 and I found it did not have the AAMClient (which is needed for FastSCP to work) listed as a service I could open in the firewall. So what I ended up doing was editing /etc/vmware/firewall/services.xml and added another service id (the next available id which for me was 31) and copied the syntax from one of my 3.0.2 hosts that had the AAMClient installed. So what I got is what follows:
AAMClient
outbound
tcp
2050
5000
-m state –state NEW
outbound
udp
2050
5000
-m state –state NEW
outbound
tcp
8042
8045
-m state –state NEW
outbound
udp
8042
8045
-m state –state NEW
inbound
tcp
2050
5000
-m state –state NEW
inbound
udp
2050
5000
-m state –state NEW
inbound
tcp
8042
8045
-m state –state NEW
inbound
udp
8042
8045
-m state –state NEW
Then I enabled the client with “esxcfg-firewall -e AAMClient”. It requires a little up front work, but makes it easier for any junior administrators not familiar with the service console to be able to check or uncheck the box to open or close those ports through the VI Client. Hope this helps out!!
Lane
Did you not connect your ESX server to virtual center? The AAM client + firewall settings are enabled by the vpxa client rpm.
An even better option would be to duplicate an existing xml file in the /etc/vmware/firewall folder and modify to suit. I did this for apcupsd (for a “net” client config) and it looked like the following (except I have changed the XML brackets for parentheses in the hopes that they might actually post on this page):
(!– Firewall configuration information for apcupsd client –)
(ConfigRoot)
(service)
(id)apcupsd(/id)
(rule id=’0000′)
(direction)outbound(/direction)
(protocol)tcp(/protocol)
(port type=’dst’)3551(/port)
(flags)-m state –state NEW(/flags)
(/rule)
(/service)
(/ConfigRoot)