• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Yellow Bricks

by Duncan Epping

  • Home
  • ESXTOP
  • Stickers/Shirts
  • Privacy Policy
  • About
  • Show Search
Hide Search

Howto: Adding a firewall service on ESX

Duncan Epping · Dec 31, 2007 ·

Lane Leverett pointed me out to the fact that it’s possible to add a firewall service instead of opening up a huge range or multiple ranges for one service by hand. This way a junior system engineer can easily open up a port range via VirtualCenter instead of the console. I tried this in our testlab with ESX 3.5 and VirtualCenter 2.5 and it works like a charm.

I created a new file “yellowbricks.xml” in the directory /etc/vmware/firewall/ which contains the following:

<!– Firewall configuration information for Yellow-Bricks  –>
<ConfigRoot>
<service>
<id>yellowbricks</id>
<rule id=’0000′>
<direction>outbound</direction>
<protocol>tcp</protocol>
<port type=’dst’>
<begin>3050</begin>
<end>3250</end>
</port>
<flags>-m state –state NEW</flags>
</rule>
<rule id=’0001′>
<direction>outbound</direction>
<protocol>udp</protocol>
<port type=’dst’>
<begin>3050</begin>
<end>3250</end>
</port>
<flags>-m state –state NEW</flags>
</rule>
<rule id=’0002′>
<direction>outbound</direction>
<protocol>tcp</protocol>
<port type=’dst’>
<begin>9000</begin>
<end>9005</end>
</port>
<flags>-m state –state NEW</flags>
</rule>
<rule id=’0003′>
<direction>outbound</direction>
<protocol>udp</protocol>
<port type=’dst’>
<begin>9000</begin>
<end>9005</end>
</port>
<flags>-m state –state NEW</flags>
</rule>
</service>
</ConfigRoot>

Then I restarted the mgmt-vmware service (service mgmt-vmware restart), and the extra service appeared in VirtualCenter. This specific service opens up destination ports 3050-3250 tcp/udp and destination ports 9000-9005 tcp/udp. This is what it looks like in VirtualCenter:

It’s also possible to edit /etc/vmware/firewall/services.xml and add a service, but I’d rather not touch that file because of upgrades and updates to the system. You’ll never know what you tip over or get’s tipped over in the future.

Share it:

  • Tweet

Related

Server ESX, firewall, VMware

Reader Interactions

Comments

  1. Arne Fokkema says

    31 December, 2007 at 15:00

    Zeker toevallig hahaha.

  2. wayne says

    6 March, 2008 at 23:47

    DANGER WILL ROBINSON! mgmt-vmware will turn your VMs off!
    Use esxcfg-firewall in the shell!

  3. Duncan Epping says

    7 March, 2008 at 06:47

    mgmt-vmware will not shut it off perse, it depends on the patchlevel and the isolation response you defined etc.

Primary Sidebar

About the author

Duncan Epping is a Chief Technologist in the Office of CTO of the HCI BU at VMware. He is a VCDX (# 007) and the author of multiple books including "vSAN Deep Dive" and the “vSphere Clustering Technical Deep Dive” series.

Upcoming Events

04-Feb-21 | Czech VMUG – Roadshow
25-Feb-21 | Swiss VMUG – Roadshow
04-Mar-21 | Polish VMUG – Roadshow
09-Mar-21 | Austrian VMUG – Roadshow
18-Mar-21 | St Louis Usercon Keynote

Recommended reads

Sponsors

Want to support us? Buy an advert!

Advertisements

Copyright Yellow-Bricks.com © 2021 · Log in