Make an ESX Firewall Rule Manageable in the vSphere Client

June 25th, 2010 by jason Leave a reply »

Make an ESX Firewall Rule Manageable in the vSphere Client.  To do so, you essentially need to create a new service in the firewall configuration XML file.

Open the file /etc/vmware/firewall/services.xml
Scroll to the bottom & note the last Service ID #
Copy an existing service section as a template (ie. faultTolerance)
Paste as new following proper XML formatting
Increment the Service ID # by 1 ensuring it’s unique
Customize to fit your new inbound/outbound port rule
Save and exit
Services do not need to be restarted

As an example, I took :

<service id=’0031′>
    <id>faultTolerance</id>
    <rule id=’0000′>
      <direction>outbound</direction>
      <protocol>tcp</protocol>
      <port type=’dst’>80</port>
    </rule>
  </service>

and created a new service like so:

<service id=’0033′>
    <id>CoolFirewallRule</id>
    <rule id=’0000′>
      <direction>outbound</direction>
      <protocol>tcp</protocol>
      <port type=’dst’>12345</port>
    </rule>
  </service>

The result is a firewall rule named CoolFirewallRule which can be toggled via the vSphere Client:

 6-22-2010 11-13-39 PM

Advertisement

4 comments

  1. Mike Foley says:

    I’ll bet you could get Luc Dekens to write up a PowerCLI script that would update that via SSH. :)

  2. michael says:

    Cool! Thanks.

  3. Greg Stuart says:

    This is a great post. We have actually been looking for some sort of solution to a new firewall rule required by a special project here in our lab. Great work Jason!

  4. Andrew says:

    Do these firewall changes persist over a reboot of the ESXi host?

    I know, I know, I could check, but I am at work and cannot access my server right now.

Leave a Reply