In ESXi 5.0, the firewall system has been completely revamped to provide the same functionality as the classic ESX Service Console esxcfg-firewall command. To access the firewall configurations, you can use the following esxcli namespace: esxcli network firewall. By default, there are set of predefined services that a user can enable or disable upon startup.

To list the default firewall rules, you can run the following command:  

esxcli network firewall ruleset list

You can also create your own custom firewall rules/services, but unfortunately this has to go outside of the esxcli framework with a custom firewall rule configuration file. An example firewall rule can be viewed under /etc/vmware/firewall/ if you have FDM enabled and you should find a file called fdm.xml which looks a little something like this:
This XML configuration file describes the name of the firewall rule/service and also specifies the various ports, port type, protocol and direction of a given service.

In the following example, I will create a new firewall rule called “virtuallyGhetto” and it will have port 1337 using TCP for both inbound/outbound and port 20120 using UDP for both inbound/oubound. You will need to create a new XML file and specify a name which I have called /etc/vmware/firewall/virtuallyGhetto.xml

Next we will need to reload the firewall by performing a “refresh” operation and then list the rules again using the following command:  

esxcli network firewall refresh
esxcli network firewall ruleset list

We can also verify that the individual rulesets for our new firewall rule/service by running the following command and grepping for the rule in question:

esxcli network firewall ruleset rule list | grep virtuallyGhetto

The new ESXi firewall also allows you to specify specific IP Address or IP ranges to access a particular service. In the following example I disable the “allow all” and specify a particular range for the virtuallyGhetto service using the following commands:

esxcli network firewall ruleset set --allowed-all false --ruleset-id=virtuallyGhetto
esxcli network firewall ruleset allowedip add --ip-address=172.30.0.0/24 --ruleset-id=virtuallyGhetto

The new firewall rules/services are also viewable under the host configuration section “Security Profile” using the vSphere Client:

As you can see it is pretty straight forward to add your own firewall rules and this can easily be incorporated into your kickstart builds.

UPDATE1: How to persist custom firewall rules in ESXi 5, take a look at these two articles here and here.

UPDATE2: Duncan Epping just posted an article on creating your own vibs which will persist firewall rules, definitely take a look as another option.

UPDATE3: You can now easily create persistent firewall rules and other files using the new VIB Author Fling, please take a look at this article here for some examples.

25 thoughts on “How to Create Custom Firewall Rules in ESXi 5.0

    • I had the same behavior.

      When I rebooted the server all the customs firewalls roles have been lost, although the xml files where present in the right directory.

      I had to refresh firewall rules through the command:

      esxcli network firewall refresh

      and then it loaded all my custom rules.

      Any idea how to fix this?

      Thank you.

      Giuseppe

    • I had the same problem. I can see my additional file is copied (in it’s timestamp) - but for some reason the firewall refresh doesn’t work. if i run the command, it works.

      thinking it could be some kind of latency problemt, i put the copy before the if, and the refresh command after - and so far, so good, it works every time.

  1. Very good information, but there is a typo in the fdm.xml example. The very first XML starting tag should read

    (and not
    ), or the file will not be accepted.

    - Andreas

  2. Ok tanks, now my new firewall rules is add to /etc/vmware/firewall/test.xml, how to active this rules. The rules is auto activate?

    Thanks for your answers

  3. I think, it may be activated by vSphereClient - relevant item is appeared in the settings.

    but I have the additional question. A saw ‘smtp thrue’ string at the Firewall, but if I try ‘nc relay 25′ then ‘nc: getaddrinfo: Name or service not known’ is showd. What is?

  4. Hey Folks,
    i have createt succsessfully a firewall rule for SMTP but i cant get any emails“ i set a smtp server, port 25 email from and email to but nothing happend no error or something else“.

    have anybody an idea?

  5. The code around the fdm.xml script appears broken. I came here for the GirtuallyGhetto.xml script, and that’s missing. Any chance of a review of this article for link-rot and missing content?

  6. >In the following example, I will create a new firewall rule called “virtuallyGhetto” and “

    You never showed the creation of this file. Did you create it by hand, using fdm.xml as a template?

  7. Hi,

    I want to know what is the below option used for when we create a customer firewall rule :

    false
    false

    Even if I set it to false, the firewall rule is selected in the GUI. Please help me understand what are these option used for ?

    /etc/vmware/firewall/test.xml :

    abed

    inbound
    tcp
    dst
    8182

    outbound
    udp
    dst
    8182

    false
    false

Thanks for the comment!