• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Yellow Bricks

by Duncan Epping

  • Home
  • ESXTOP
  • Stickers/Shirts
  • Privacy Policy
  • About
  • Show Search
Hide Search

Port range and esxcfg-firewall

Duncan Epping · Dec 27, 2007 ·

An often made mistake when trying to open up or close a port range with the ESX(3.0.2 and 3.5) firewall is using the dash(-) as a divider. Using the dash unfortunately does not always result in an error. To open up or close a port range you should use a collon(:) as a divider:

esxcfg-firewall –openport 6000:6010,tcp,in,test

Normally using a dash as a divider should result in following error:

[[email protected] /]# esxcfg-firewall -o 7000-7010,tcp,in,test
2007-12-26 20:54:52 (6842) ERROR: ‘iptables /sbin/iptables -A INPUT -p tcp –dport 7000-7010 -j ACCEPT’ failed
2007-12-26 20:54:52 (6842) ERROR: Panic! Stack trace follows:
2007-12-26 20:54:52 (6842) ERROR: VMware::Panic VMware::Panic::DumpStackTrace in /usr/lib/vmware/esx-perl/perl5/site_perl/5.8.0/VMware/Panic.pm line 59
2007-12-26 20:54:52 (6842) ERROR: main VMware::Panic::Panic in /usr/sbin/esxcfg-firewall line 661
2007-12-26 20:54:52 (6842) ERROR: main main::IpTables in /usr/sbin/esxcfg-firewall line 492
2007-12-26 20:54:52 (6842) ERROR: main main::FWAddCustomPorts in /usr/sbin/esxcfg-firewall line 545
2007-12-26 20:54:52 (6842) ERROR: main main::FWLoad in /usr/sbin/esxcfg-firewall line 1039
2007-12-26 20:54:52 (6842) ERROR: Getopt::Long main::OpenPort in /usr/lib/perl5/5.8.0/Getopt/Long.pm line 478
2007-12-26 20:54:52 (6842) ERROR: Getopt::Long (eval) in /usr/lib/perl5/5.8.0/Getopt/Long.pm line 477
2007-12-26 20:54:52 (6842) ERROR: main Getopt::Long::GetOptions in /usr/sbin/esxcfg-firewall line 1131
2007-12-26 20:54:52 (6842) ERROR: Making panic callbacks…
2007-12-26 20:54:52 (6842) ERROR: Done, exiting with code -19. Goodbye!

The weird thing is that when you query the firewall it says the port range is open but when you restart the firewall service it will result in the same error again. It seems that iptables isn’t fond of the dash and esxcfg-firewall doesn’t convert it or blocks the port range of being submitted to iptables.

Share it:

  • Tweet

Related

Server 3.0.x, 3.5, ESX, firewall, iptables, VMware

Reader Interactions

Comments

  1. Lane Leverett says

    27 December, 2007 at 16:02

    Another option, especially when there are a ton of ports to open would be to add a new service. I had to do this when testing out ESX 3.5 and I found it did not have the AAMClient (which is needed for FastSCP to work) listed as a service I could open in the firewall. So what I ended up doing was editing /etc/vmware/firewall/services.xml and added another service id (the next available id which for me was 31) and copied the syntax from one of my 3.0.2 hosts that had the AAMClient installed. So what I got is what follows:

    AAMClient

    outbound
    tcp

    2050
    5000

    -m state –state NEW

    outbound
    udp

    2050
    5000

    -m state –state NEW

    outbound
    tcp

    8042
    8045

    -m state –state NEW

    outbound
    udp

    8042
    8045

    -m state –state NEW

    inbound
    tcp

    2050
    5000

    -m state –state NEW

    inbound
    udp

    2050
    5000

    -m state –state NEW

    inbound
    tcp

    8042
    8045

    -m state –state NEW

    inbound
    udp

    8042
    8045

    -m state –state NEW

    Then I enabled the client with “esxcfg-firewall -e AAMClient”. It requires a little up front work, but makes it easier for any junior administrators not familiar with the service console to be able to check or uncheck the box to open or close those ports through the VI Client. Hope this helps out!!

    Lane

  2. wing figgles says

    16 January, 2008 at 15:50

    Did you not connect your ESX server to virtual center? The AAM client + firewall settings are enabled by the vpxa client rpm.

  3. Amos says

    29 April, 2008 at 19:54

    An even better option would be to duplicate an existing xml file in the /etc/vmware/firewall folder and modify to suit. I did this for apcupsd (for a “net” client config) and it looked like the following (except I have changed the XML brackets for parentheses in the hopes that they might actually post on this page):

    (!– Firewall configuration information for apcupsd client –)
    (ConfigRoot)
    (service)
    (id)apcupsd(/id)
    (rule id=’0000′)
    (direction)outbound(/direction)
    (protocol)tcp(/protocol)
    (port type=’dst’)3551(/port)
    (flags)-m state –state NEW(/flags)
    (/rule)
    (/service)
    (/ConfigRoot)

Primary Sidebar

About the author

Duncan Epping is a Chief Technologist in the Office of CTO of the Cloud Platform BU at VMware. He is a VCDX (# 007), the author of the "vSAN Deep Dive", the “vSphere Clustering Technical Deep Dive” series, and the host of the "Unexplored Territory" podcast.

Upcoming Events

Feb 9th – Irish VMUG
Feb 23rd – Swiss VMUG
March 7th – Dutch VMUG
May 24th – VMUG Poland
June 1st – VMUG Belgium

Recommended Reads

Sponsors

Want to support Yellow-Bricks? Buy an advert!

Advertisements

Copyright Yellow-Bricks.com © 2023 · Log in