Make an ESX Firewall Rule Manageable in the vSphere Client. To do so, you essentially need to create a new service in the firewall configuration XML file.
Open the file /etc/vmware/firewall/services.xml
Scroll to the bottom & note the last Service ID #
Copy an existing service section as a template (ie. faultTolerance)
Paste as new following proper XML formatting
Increment the Service ID # by 1 ensuring it’s unique
Customize to fit your new inbound/outbound port rule
Save and exit
Services do not need to be restarted
As an example, I took :
<service id=’0031′>
<id>faultTolerance</id>
<rule id=’0000′>
<direction>outbound</direction>
<protocol>tcp</protocol>
<port type=’dst’>80</port>
</rule>
</service>
and created a new service like so:
<service id=’0033′>
<id>CoolFirewallRule</id>
<rule id=’0000′>
<direction>outbound</direction>
<protocol>tcp</protocol>
<port type=’dst’>12345</port>
</rule>
</service>
The result is a firewall rule named CoolFirewallRule which can be toggled via the vSphere Client:
I’ll bet you could get Luc Dekens to write up a PowerCLI script that would update that via SSH. 🙂
Cool! Thanks.
This is a great post. We have actually been looking for some sort of solution to a new firewall rule required by a special project here in our lab. Great work Jason!
Do these firewall changes persist over a reboot of the ESXi host?
I know, I know, I could check, but I am at work and cannot access my server right now.