The firewall also allows Internet Control Message Protocol (ICMP) pings and communication with DHCP and DNS (UDP only) clients.

Supported services and management agents that are required to operate the host are described in a rule set configuration file in the ESXi firewall directory /etc/vmware/firewall/. The file contains firewall rules and lists each rule's relationship with ports and protocols.

You cannot add a rule to the ESXi firewall unless you create and install a VIB that contains the rule set configuration file. The VIB authoring tool is available to VMware partners.

Rule Set Configuration Files

A rule set configuration file contains firewall rules and describes each rule's relationship with ports and protocols. The rule set configuration file can contain rule sets for multiple services.
Rule set configuration files are located in the /etc/vmware/firewall/ directory. To add a service to the host security profile, VMware partners can create a VIB that contains the port rules for the service in a configuration file. VIB authoring tools are available to VMware partners only.

Example: Rule Set Configuration File

<ConfigRoot>
<service id='0000'>
 <id>serviceName</id>
  <rule id = '0000'>
   <direction>inbound</direction>
   <protocol>tcp</protocol>
   <porttype>dst</porttype>
   <port>80</port>
  </rule>
  <rule id='0001'>
   <direction>inbound</direction>
   <protocol>tcp</protocol>
   <porttype>src</porttype>
   <port>
    <begin>1020</begin>
    <end>1050</end>
   </port>
 </rule>
 <enabled>true</enabled>
 <required>false</required>
</service>
</ConfigRoot>

You can specify which networks are allowed to connect to each service that is running on the host.
By default, all IP addresses are allowed.

Procedure

1. Log in to a vCenter Server system using the vSphere Client.
2. Select the host in the inventory panel.
3. Click the Configuration tab and click Security Profile.
   The vSphere Client displays a list of active incoming and outgoing connections with the corresponding firewall ports.
4. In the Firewall section, click Properties.
5. (Optional) Select to Allow connections from any IP address or Only allow connections from the following networks.
6. (Optional) Click OK
7. Select the rule sets to enable, or deselect the rule sets to disable.
   The Incoming and Outgoing Ports columns indicate the ports that vSphere Client opens for the service. The Protocol column indicates the protocol that the service uses. The Daemon column indicates the status of daemons associated with the service.
8. Click OK

The NFS Client rule set behaves differently than other ESXi firewall rule sets. ESXi configures NFS Client settings when you mount or unmount an NFS datastore.
When you add or mount an NFS datastore, ESXi checks the state of the NFS Client (nfsClient) firewall rule set.

Firewall Configuration Using the ESXi Shell

The vSphere Client graphical user interface provides the preferred means of performing many configuration tasks. However, you can use the ESXi Shell to configure ESXi at the command line if necessary.

• http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf
• http://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc_50%2FGUID-DD4322FF-3DC4-4716-8819-6688938F99D7.html
• http://www.vmware.com/technical-resources/security/overview.html