Custom firewall rule on ESXi Host

Create a backup of firewall config file

cp /etc/vmware/firewall/service.xml /etc/vmware/firewall/service.xml.bak

Modify the access permissions of the service.xml file to allow writes by running the chmod command:

To allow writes:

chmod 644 /etc/vmware/firewall/service.xml

To toggle the sticky bit flag:

chmod +t /etc/vmware/firewall/service.xml

Update file service.xml

vi /etc/vmware/firewall/service.xml

add rule (for example Squid proxy)

<!-- Proxy Server on 3128/tcp -->
<service id='0045'>
  <id>Proxy Server Squid</id>
  <rule id='0000'>
    <direction>outbound</direction>
    <protocol>tcp</protocol>
    <porttype>dst</porttype>
    <port>
      <begin>3128</begin>
      <end>3128</end>
    </port>
  </rule>
  <enabled>false</enabled>
  <required>false</required>
</service>

Reset permissions

chmod 444 /etc/vmware/firewall/service.xml
chmod +t /etc/vmware/firewall/service.xml

Refresh the firewall rules for the changes to take effect by running the command:

esxcli network firewall refresh

 

To make persistent it we need to update service.xml file at boot time, so:

Create file /vmfs/volumes/datastore1/etc/squid.xml with follow content:

<ConfigRoot>
  <service>
    <id>Proxy Server Squid</id>
    <rule id = '0000'>
      <direction>outbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>3128</port>
    </rule>
    <enabled>true</enabled>
    <required>false</required>
  </service>
</ConfigRoot>

Edit file /etc/rc.local

chmod 644 /etc/rc.local
chmod +t /etc/rc.local
vi /etc/rc.local

So the created files are copied back to host at boot time. Add lines to the end of the file, for example:

#copy the new firewall rule from vmfs place holder to file system
cp /vmfs/volumes/datastore1/etc/squid.xml /etc/vmware/firewall/

#refresh firewall rules
esxcli network firewall refresh

Reset permissions

chmod 555 /etc/rc.local