Howto: Adding a firewall service on ESX

31 December, 2007 By 7 Comments

Lane Leverett pointed me out to the fact that it’s possible to add a firewall service instead of opening up a huge range or multiple ranges for one service by hand. This way a junior system engineer can easily open up a port range via VirtualCenter instead of the console. I tried this in our testlab with ESX 3.5 and VirtualCenter 2.5 and it works like a charm.

I created a new file “yellowbricks.xml” in the directory /etc/vmware/firewall/ which contains the following:

<!– Firewall configuration information for Yellow-Bricks  –>
<ConfigRoot>
<service>
<id>yellowbricks</id>
<rule id=’0000′>
<direction>outbound</direction>
<protocol>tcp</protocol>
<port type=’dst’>
<begin>3050</begin>
<end>3250</end>
</port>
<flags>-m state –state NEW</flags>
</rule>
<rule id=’0001′>
<direction>outbound</direction>
<protocol>udp</protocol>
<port type=’dst’>
<begin>3050</begin>
<end>3250</end>
</port>
<flags>-m state –state NEW</flags>
</rule>
<rule id=’0002′>
<direction>outbound</direction>
<protocol>tcp</protocol>
<port type=’dst’>
<begin>9000</begin>
<end>9005</end>
</port>
<flags>-m state –state NEW</flags>
</rule>
<rule id=’0003′>
<direction>outbound</direction>
<protocol>udp</protocol>
<port type=’dst’>
<begin>9000</begin>
<end>9005</end>
</port>
<flags>-m state –state NEW</flags>
</rule>
</service>
</ConfigRoot>

Then I restarted the mgmt-vmware service (service mgmt-vmware restart), and the extra service appeared in VirtualCenter. This specific service opens up destination ports 3050-3250 tcp/udp and destination ports 9000-9005 tcp/udp. This is what it looks like in VirtualCenter:

It’s also possible to edit /etc/vmware/firewall/services.xml and add a service, but I’d rather not touch that file because of upgrades and updates to the system. You’ll never know what you tip over or get’s tipped over in the future.

Be Sociable, Share!

    Related posts:

    1. Port range and esxcfg-firewall
    2. Howto: Sending html email from the service console
    3. VUM: Metadata for patch missing
    4. Update Manager: Metadata for patch missing
    5. How to disable ESXi firewall
    Filed Under: Server Tagged With: , ,

    Comments

    1. Arne Fokkema says:
      31 December, 2007 at 15:00

      Zeker toevallig hahaha.

      Reply
    2. wayne says:
      6 March, 2008 at 23:47

      DANGER WILL ROBINSON! mgmt-vmware will turn your VMs off!
      Use esxcfg-firewall in the shell!

      Reply
    3. Duncan Epping says:
      7 March, 2008 at 06:47

      mgmt-vmware will not shut it off perse, it depends on the patchlevel and the isolation response you defined etc.

      Reply

    Trackbacks

    1. IT-John - ESX Configuration Files says:
      9 February, 2009 at 21:39

      [...] same format as services.xml) to provide custom port definitions. You can read all about it at http://www.yellow-bricks.com/2007/12/31/howto-adding-a-firewall-service-on-esx/. Just make sure you use ids in the file that are different than the ones in [...]

      Reply
    2. VCAP-DCA Objective 7.2 : Configure and Maintain ESX Firewall says:
      10 September, 2010 at 12:01

      [...] http://www.yellow-bricks.com/2007/12/31/howto-adding-a-firewall-service-on-esx/ [...]

      Reply
    3. VCAP-DCA Study notes 7.2– Configure and Maintain the ESX Firewall | www.vExperienced.co.uk says:
      14 March, 2011 at 16:43

      [...] details of the .XML file format see Duncan Epping’s blogpost from 2007 which is still relevant and works just fine for vSphere. This also allows you to delegate the [...]

      Reply
    4. VMware ESX Server – Command Line Guide | Knowledge Highway says:
      13 May, 2013 at 16:00

      [...] same format as services.xml) to provide custom port definitions. You can read all about it at http://www.yellow-bricks.com/2007/12/31/howto-adding-a-firewall-service-on-esx/. Just make sure you use ids in the file that are different than the ones in [...]

      Reply

    Speak Your Mind

    *