8 weeks of #VCAP – The ESXi Firewall

Alright, continuing on the realm of security let's have a look at the built in firewall on ESXi.  This post will relate directly to Objective 7.2 on the blueprint!  Basically, a lot of this work can be done in either the GUI or the CLI, so chose what you are most comfortable with.  I'll be jumping back and forth from both!  Some things are just easier in the GUI I find….anyways, I only have like 4 weeks to go so let's get going…

First up, enable/disable pre configured services

Easy/Peasy!  Hit up the 'Security Profile' on a hosts configuration tab and select 'Properties' in the 'Services' section.  You should see something similar to that of below

I guess as far as enabling/disabling you would simply stop the service and set it to manual automation.

Speaking of automation, that's the second skill

As you can see above we have a few options in regards to automation behavior. We can Start/Stop with the host (basically on startup and shutdown), Start/Stop manually (we will go in here and do it), or Start automatically when …( I have no idea what this means 🙂 sorry – let me know in the comments 🙂 ).  Anyways, that's all there is to this!

We are flying through this, Open/Close Ports

Same spot as above just hit the 'Properties' link on the Firewall section this time.  Again, this is just as easy – just check/uncheck the boxes beside the service containing the port you want to open or close!  Have a look below – it's pretty simple!

Another releavant spot here is the 'Firewall' button at the bottom.  Aside from opening and closing a port, we can also specify which networks are able to get through if our port is open.  Below I'm allowing access only from the 192.168.1.0/24 network.  

Again this can be done within the CLI, but i find it much easier to accomplish inside of the GUI.  But, that's a personal preference so pick your poison!

That's what I get for talk about the CLI, custom services!

Aha!  Too much talk of the CLI leads us to a task that can only be completed via the CLI; Custom Services.  Basically, if you have a service that utilizes ports that aren't covered off by the default services you need to create your own spiffy little service so you can enable/disable it and open/close those ports and allow access to it.  So, off to the CLI we go…

The services in the ESXi firewall are defined by XML files located in /etc/vmware/firewall  The service.xml file contains the bulk of them and you can define yours in there, or you can simply add any xml file in the directory and it will be picked up (so long as it is defined properly).  If you have enabled HA you are in luck – you will see an fdm.xml file there.  Since the VCAP is time sensitive this might be your quickest way out as you can just copy that file, rename it to your service and modify as it fits.  If not, then you will have to get into service.xml and copy text out of there.  I'm going to assume HA is enabled and go the copy/modify route.

So, copy fdm.xml to your service name

Before modifying mynewservice.xml you will need to give root access to write to it, use the following to do so…

Now vi mynewservice.xml – if you don't know how to use 'vi', well, you better just learn, go find a site 🙂  Let's say we have a requirement to open up inbound tcp/udp 8000 and tcp/udp 8001 on the outbound.  We would make that file look as follows, simply replacing the name and ports and setting the enabled flag.

Alright, save that bad boy, and probably it's a good idea to run 'chmod o-w mynewservice.xml' and take away that write permission.  If you go and look at your services, or simply run 'esxcli network firewall ruleset list' you might say, "hey, where's my new service?"  Well, it won't show up until you refresh the firewall – to do so, use the following command..

Now you can go check in the GUI or do the following to list out your services…

Woot!  Woot!  It's there!  But wait, it's disabled.  No biggie, we can go ahead and enable it just as we did the others in the steps earlier in this post – or, hey, since we are in the CLI let's just do it now!

And that's that!  You are done!  If asked to set the allowedIP information, I'd probably just jump back to the GUI and do that!

Set firewall security level – More CLI goodness

Well before we can set the firewall security level let's first understand what security levels are available to us.  ESXi gives us three…

High – This is the default – basically, firewall blocks all incoming and outgoing ports except for the the essential ports it needs to run.

Medium  – All Incoming is blocked, except for any port you open – outgoing is a free for all

Low – Nada – have at it, everything is open.  

Anyway, we can get the default action by specifying

and to change it we have a few options…  Passing '-d false' would set us to DROP (the default HIGH security level), passing a '-d true' will set us up to PASS traffic (I think this would be the medium security) and setting a '-e false' will disable the firewall completely (the low settings).  So, to switch to medium we could do the following

I could be wrong here, so if I am just let me know and I'll update it 🙂

And guess what?  We are done with the firewall!  I would practice this stuff as it's easy measurable and can be quickly identified as you doing something right or wrong – I'd bet this will be on the exam in one way or another.  Good Luck!