Lane Leverett pointed me out to the fact that it’s possible to add a firewall service instead of opening up a huge range or multiple ranges for one service by hand. This way a junior system engineer can easily open up a port range via VirtualCenter instead of the console. I tried this in our testlab with ESX 3.5 and VirtualCenter 2.5 and it works like a charm.
I created a new file “yellowbricks.xml” in the directory /etc/vmware/firewall/ which contains the following:
<!– Firewall configuration information for Yellow-Bricks –>
<ConfigRoot>
<service>
<id>yellowbricks</id>
<rule id=’0000′>
<direction>outbound</direction>
<protocol>tcp</protocol>
<port type=’dst’>
<begin>3050</begin>
<end>3250</end>
</port>
<flags>-m state –state NEW</flags>
</rule>
<rule id=’0001′>
<direction>outbound</direction>
<protocol>udp</protocol>
<port type=’dst’>
<begin>3050</begin>
<end>3250</end>
</port>
<flags>-m state –state NEW</flags>
</rule>
<rule id=’0002′>
<direction>outbound</direction>
<protocol>tcp</protocol>
<port type=’dst’>
<begin>9000</begin>
<end>9005</end>
</port>
<flags>-m state –state NEW</flags>
</rule>
<rule id=’0003′>
<direction>outbound</direction>
<protocol>udp</protocol>
<port type=’dst’>
<begin>9000</begin>
<end>9005</end>
</port>
<flags>-m state –state NEW</flags>
</rule>
</service>
</ConfigRoot>
Then I restarted the mgmt-vmware service (service mgmt-vmware restart), and the extra service appeared in VirtualCenter. This specific service opens up destination ports 3050-3250 tcp/udp and destination ports 9000-9005 tcp/udp. This is what it looks like in VirtualCenter:
It’s also possible to edit /etc/vmware/firewall/services.xml and add a service, but I’d rather not touch that file because of upgrades and updates to the system. You’ll never know what you tip over or get’s tipped over in the future.
Arne Fokkema says
Zeker toevallig hahaha.
wayne says
DANGER WILL ROBINSON! mgmt-vmware will turn your VMs off!
Use esxcfg-firewall in the shell!
Duncan Epping says
mgmt-vmware will not shut it off perse, it depends on the patchlevel and the isolation response you defined etc.