The firewall built into ESX server uses iptables, the very commonly used Linux firewall. However to create the rules another esxcfg tool is used, which is esxcfg-firewall.
To list the services currently controlled by the firewall:
esxcfg-firewall -s
To list the firewall rules:
esxcfg-firewall -q [servicename]
esxcfg-firewall -q
Enable a service:
esxcfg-firewall -e [servicename]
esxcfg-firewall -e sshClient
Disable a service:
esxcfg-firewall -d [servicename]
esxcfg-firewall -d sshClient
Open a port:
esxcfg-firewall -o 465,tcp,out,out-smtps
Close a port:
esxcfg-firewall -c 465,tcp,out
Command Options:
/usr/sbin/esxcfg-firewall
esxcfg-firewall
-q|--query Lists current settings.
-q|--query Lists setting for the
specified service.
-q|--query incoming|outgoing Lists setting for non-required
incoming/outgoing ports.
-s|--services Lists known services.
-l|--load Loads current settings.
-r|--resetDefaults Resets all options to defaults
-e|--enableService Allows specified service
through the firewall.
-d|--disableService Blocks specified service
-o|--openPort Opens a port.
-c|--closePort Closes a port previously opened
via --openPort.
--blockIncoming Block all non-required incoming
ports (default value).
--blockOutgoing Block all non-required outgoing
ports (default value).
--allowIncoming Allow all incoming ports.
--allowOutgoing Allow all outgoing ports.
-h|--help Show this message.
esxcfg-firewall
-q|--query Lists current settings.
-q|--query
specified service.
-q|--query incoming|outgoing Lists setting for non-required
incoming/outgoing ports.
-s|--services Lists known services.
-l|--load Loads current settings.
-r|--resetDefaults Resets all options to defaults
-e|--enableService
through the firewall.
-d|--disableService
-o|--openPort Opens a port.
-c|--closePort Closes a port previously opened
via --openPort.
--blockIncoming Block all non-required incoming
ports (default value).
--blockOutgoing Block all non-required outgoing
ports (default value).
--allowIncoming Allow all incoming ports.
--allowOutgoing Allow all outgoing ports.
-h|--help Show this message.
NOTE: For changes to show in VC/VI client restart mgmt-vmware.
/etc/init.d/mgmt-vmware restart
Share this blog post on social media:
Tweet
Latest Blog Posts
- vSphere 7 U1 - Part 3 - Creating a Datacenter, HA/DRS Cluster and Adding a Host
- vSphere 7 U1 - Part 2 - Deploying vCenter 7.0 U1 VCSA
- vSphere 7 U1 - Part 1 - Installing ESXi 7.0 U1
- Veeam CBT Data is Invalid - Reset CBT Without Powering Off VM
- View Administrator Blank Error Dialog/Window After Upgrade