Posted in Esxcfg-firewall
Description: Configures the service console firewall ports
Syntax: esxcfg-firewall <options>
Options:
| -q | Lists current settings |
| -q <service> | Lists settings for the specified service |
| -q incoming|outgoing | Lists settings for non-required incoming/outgoing ports |
| -s | Lists known services |
| -l | Loads current settings |
| -r | Resets all options to defaults |
| -e <service> | Allows specified service through the firewall (enables) |
| -d <service> | Blocks specified service (disables) |
| -o <port, tcp|udp,in|out,name> | Opens a port |
| -c <port, tcp|udp,in|out> | Closes a port previously opened by –o |
| -h | Displays command help |
| -allowincoming | Allow all incoming ports |
| -allowoutgoing | Allow all outgoing ports |
| -blockincoming | Block all non-required incoming ports (default value) |
| -blockoutgoing | Block all non-required outgoing ports (default value) |
Default Services:
| AAMClient | Added by the vpxa RPM: Traffic between ESX Server hosts for VMware High Availability (HA) and EMC Autostart Manager – inbound and outbound TCP and UDP Ports 2050 – 5000 and 8042 – 8045 |
| activeDirectorKerberos | Active Directory Kerberos – outbound TCPs Port 88 and 464 |
| CIMHttpServer | First-party optional service: CIM HTTP Server – inbound TCP Port 5988 |
| CIMHttpsServer | First-party optional service: CIM HTTPS Server – inbound TCP Port 5989 |
| CIMSLP | First-party optional service: CIM SLP – inbound and outbound TCP and UDP Ports 427 |
| commvaultDynamic | Backup agent: Commvault dynamic – inbound and outbound TCP Ports 8600 – 8619 |
| commvaultStatic | Backup agent: Commvault static – inbound and outbound TCP Ports 8400 – 8403 |
| ftpClient | FTP client – outbound TCP Port 21 |
| ftpServer | FTP server – inbound TCP Port 21 |
| kerberos | Kerberos – outbound TCPs Port 88 and 749 |
| LicenseClient | FlexLM license server client – outbound TCP Ports 27000 and 27010 |
| nfsClient | NFS client – outbound TCP and UDP Ports 111 and 2049 (0 – 65535) |
| nisClient | NIS client – outbound TCP and UDP Ports 111 (0 – 65535) |
| ntpClient | NTP client – outbound UDP Port 123 |
| smbClient | SMB client – outbound TCP Ports 137 – 139 and 445 |
| snmpd | SNMP services – inbound TCP Port 161 and outbound TCP Port 162 |
| sshClient | SSH client – outbound TCP Port 22 |
| sshServer | SSH server – inbound TCP Port 22 |
| swISCSIClient | First-party optional service: Software iSCSI client – outbound TCP Port 3260 |
| telnetClient | NTP client – outbound TCP Port 23 |
| TSM | Backup agent: IBM Tivoli Storage Manager – inbound and outbound TCP Ports 1500 |
| veritasBackupExec | Backup agent: Veritas BackupExec – inbound TCP Ports 10000 – 10200 |
| veritasNetBackup | Backup agent: Veritas NetBackup – inbound TCP Ports 13720, 13732, 13734, and 13783 |
| vncServer | VNC server – Allow VNC sessions 0-64: inbound TCP Ports 5900 – 5964 |
| vpxHeartbeats | vpx heartbeats – outbound UDP Port 902 |
Note: You can configure your own services in the file /etc/vmware/firewall/services.xml
esxcfg-firewall examples:
Enable ssh client connections from the Service Console:
# esxcfg-firewall -e sshClient
Disable the Samba client connections:
# esxcfg-firewall -d smbClient
Allow syslog outgoing traffic:
# esxcfg-firewall -o 514,udp,out,syslog
Turn off the firewall:
# esxcfg-firewall -allowIncoming
# esxcfg-firewall -allowOutgoing
Re-enable the firewall:
# esxcfg-firewall -blockIncoming
# esxcfg-firewall –blockOutgoing
Tags: 
