Manage the
ESXi
Firewall

To minimize the risk of an attack through the management interface,
ESXi
includes a firewall between the management interface and the network.
To ensure the integrity of the host, only a small number of firewall ports are open by default. The
vSphere Security
documentation explains how to set up firewalls for your environment and which ports you might have to temporarily enable for certain traffic.
You manage firewalls by setting up firewall rulesets. The
vSphere Security
documentation explains how to perform these tasks by using the
vSphere Client
. You can also
use esxcli network firewall
to manage firewall rulesets and to retrieve information about them. Specify one of the options listed in Connection Options for ESXCLI Host Management Commands in place of
<conn_options>
.
  1. Check firewall status and sshServer ruleset status.
    esxcli <conn_options> network firewall get
    Default Action: DROP Enabled: true Loaded: true
    esxcli <conn_options> network firewall ruleset list --ruleset-id sshServer
    Name Enabled --------- ------- sshServer true
  2. Enable the sshServer ruleset if it is disabled.
    esxcli <conn_options> network firewall ruleset set --ruleset-id sshServer --enabled true
  3. Obtain access to the
    ESXi Shell
    and check the status of the
    allowedAll
    flag.
    esxcli <conn_options> network firewall ruleset allowedip list --ruleset-id sshServer
    Ruleset Allowed IP Addresses --------- -------------------- sshServer All
    See
    Getting Started with ESXCLI
    for information on accessing the
    ESXi Shell
    .
  4. Set the status of the
    allowedAll
    flag to
    false
    .
    esxcli <conn_options> network firewall ruleset set --ruleset-id sshServer --allowed-all false
  5. Add the list of allowed IP addresses.
    esxcli <conn_options> network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 192.XXX.1.0/24 esxcli <conn_options> network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 192.XXX.10.10
  6. Check the allowed IP address list.
    esxcli <conn_options> network firewall ruleset allowedip list --ruleset-id sshServer
    Ruleset Allowed IP Addresses --------- ----------------------------- sshServer 192.XXX.10.10, 192.XXX.1.0/24