Howto: Adding a firewall service on ESX

Lane Leverett pointed me out to the fact that it’s possible to add a firewall service instead of opening up a huge range or multiple ranges for one service by hand. This way a junior system engineer can easily open up a port range via VirtualCenter instead of the console. I tried this in our testlab with ESX 3.5 and VirtualCenter 2.5 and it works like a charm.

I created a new file “yellowbricks.xml” in the directory /etc/vmware/firewall/ which contains the following:

<!– Firewall configuration information for Yellow-Bricks  –>
<ConfigRoot>
<service>
<id>yellowbricks</id>
<rule id=’0000′>
<direction>outbound</direction>
<protocol>tcp</protocol>
<port type=’dst’>
<begin>3050</begin>
<end>3250</end>
</port>
<flags>-m state –state NEW</flags>
</rule>
<rule id=’0001′>
<direction>outbound</direction>
<protocol>udp</protocol>
<port type=’dst’>
<begin>3050</begin>
<end>3250</end>
</port>
<flags>-m state –state NEW</flags>
</rule>
<rule id=’0002′>
<direction>outbound</direction>
<protocol>tcp</protocol>
<port type=’dst’>
<begin>9000</begin>
<end>9005</end>
</port>
<flags>-m state –state NEW</flags>
</rule>
<rule id=’0003′>
<direction>outbound</direction>
<protocol>udp</protocol>
<port type=’dst’>
<begin>9000</begin>
<end>9005</end>
</port>
<flags>-m state –state NEW</flags>
</rule>
</service>
</ConfigRoot>

Then I restarted the mgmt-vmware service (service mgmt-vmware restart), and the extra service appeared in VirtualCenter. This specific service opens up destination ports 3050-3250 tcp/udp and destination ports 9000-9005 tcp/udp. This is what it looks like in VirtualCenter:

It’s also possible to edit /etc/vmware/firewall/services.xml and add a service, but I’d rather not touch that file because of upgrades and updates to the system. You’ll never know what you tip over or get’s tipped over in the future.