It a lab environment, and very limited production scenarios, it’s often very useful to open all ports, TCP and UDP, but only to certain IP addresses, subnets, or IP address ranges. I have found very little info on this specifically, so I thought I would whip up this guide so you know an easy way to open up all ports for specific addresses. This will work on VMware ESXi 5, 5.1 and 5.5 for sure, but it will most likely work for most versions of ESXi, although I have not tested it. Please let me know if the comments if you have luck on non 5.x versions, specifically 4.x and 6.x.
Basically, we are going to create 4 firewall rules, each does the following:
- Open all UDP ports inbound (ports 1-60,000).
- Open all UDP ports outbound (ports 1-60,000).
- Open all TCP ports inbound (ports 1-60,000).
- Open all TCP ports outbound (ports 1-60,000).
Once that’s done we’ll lock access down to a specific address(s) via the vSphere Client. First, go ahead and SSH into your ESXi host. Once you are at a command prompt you will need to edit /etc/vmware/firewall/service.xml. I prefer nano, but that’s not available on ESXi, so we have to use VI. First, lets make a backup of the file and change permissions so we can edit the file.
# cp /etc/vmware/firewall/service.xml /etc/vmware/firewall/service.xml.bak # chmod 644 /etc/vmware/firewall/service.xml # chmod +t /etc/vmware/firewall/service.xml
Now we have a backup of the service.xml file, called service.xml.bak. We have also allowed writes to service.xml and toggled the sticky bit. Lets go ahead and open service.xml with vi.
# vi /etc/vmware/firewall/service.xml
The service.xml file is the main template for firewall rules, specifically pertaining to ports. It is what populates all of the available information on the Security Profile > Firewall tab in the vSphere Client. It is here we are going to add our four rules. If you are unfamiliar with vi, it can be a big confusing. Here are some pointers for you:
- When you first enter vi, you cannot manipulate any text. to do so, hit the “i” key. This puts you in “insert” mode.
- Once selecting “i” you can move about freely and add/edit at will.
- After making all needed changes, press the “ESC” key, the “:” – This puts you in vi command mode.
- At the “:” prompt, enter “w” (for write) and q (for quit) and then press enter. So it should look like this :wq
- You have just saved and exited. That’s it. So, lets continue.
You can insert the 4 new rules pretty much anywhere in service.xml, just make sure its between the closing of one rule and the beginning of the next
After you add all that in, hit the ESC key, then :wq and hit enter to save and exit. Now that we’ve added the four rules we need to refresh the firewall rules and remove write access from service.xml. To do this run these commands:
# chmod 444 /etc/vmware/firewall/service.xml # esxcli network firewall refresh
Now the rules are added, but the ports are opened up to everyone and every IP. If this is in a private lab setting, you have the option of stopping here and leaving it like that. If not, lets lock it down to certain IP addresses. Open up the vSphere client and go to Security Profile, under the Configuration tab, and click Properties in the Firewall area.
You will notice a line similar to this for each of the four rules we created:
Select each of the four rules, one at a time (they are named UDPALLOUT, UDPALLIN, TCPALLOUT, and TCPALLIN) and click firewall. This is where you can enter an individual address, subnet or address range. The first address you need to add in each category is the address your connecting to SSH and/or the vSphere Client from. If you do not, as soon as you click OK you will loose access. Once you have added allowed IP addresses to each of the four rules, click OK and you are done.
After adding these four rules, all other firewall rules because pointless and overridden. Any changes made to other firewall rules will have no effect.