Last active
November 18, 2023 21:24
-
-
Save dtaivpp/3cfb7924fd7252f52ee9bf7cc35047af to your computer and use it in GitHub Desktop.
Adding ESXI v7 Persistent Firewall Rule
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # local configuration options | |
| # Note: modify at your own risk! If you do/use anything in this | |
| # script that is not part of a stable API (relying on files to be in | |
| # specific places, specific tools, specific output, etc) there is a | |
| # possibility you will end up with a broken system after patching or | |
| # upgrading. Changes are not supported unless under direction of | |
| # VMware support. | |
| # Note: This script will not be run when UEFI secure boot is enabled. | |
| /bin/cat > /etc/vmware/firewall/logging.xml << EOF | |
| <ConfigRoot> | |
| <!-- Logging Ports for communication --> | |
| <service> | |
| <id>logging-ports</id> | |
| <rule id='0000'> | |
| <direction>inbound</direction> | |
| <protocol>udp</protocol> | |
| <porttype>dst</porttype> | |
| <port> | |
| <begin>5140</begin> | |
| <end>5140</end> | |
| </port> | |
| </rule> | |
| <rule id='0001'> | |
| <direction>inbound</direction> | |
| <protocol>udp</protocol> | |
| <porttype>dst</porttype> | |
| <port> | |
| <begin>2055</begin> | |
| <end>2055</end> | |
| </port> | |
| </rule> | |
| <enabled>true</enabled> | |
| <required>false</required> | |
| </service> | |
| </ConfigRoot> | |
| EOF | |
| /bin/cat > /etc/vmware/firewall/k8s.xml << EOF | |
| <ConfigRoot> | |
| <!-- Kubernetes Ports for communication --> | |
| <service> | |
| <id>kubernetes-ports</id> | |
| <rule id='0000'> | |
| <direction>inbound</direction> | |
| <protocol>tcp</protocol> | |
| <porttype>dst</porttype> | |
| <port> | |
| <begin>6443</begin> | |
| <end>6443</end> | |
| </port> | |
| </rule> | |
| <rule id='0001'> | |
| <direction>outbound</direction> | |
| <protocol>tcp</protocol> | |
| <porttype>dst</porttype> | |
| <port> | |
| <begin>6443</begin> | |
| <end>6443</end> | |
| </port> | |
| </rule> | |
| <enabled>true</enabled> | |
| <required>false</required> | |
| </service> | |
| </ConfigRoot> | |
| EOF | |
| /sbin/esxcli network firewall refresh | |
| exit 0 |
You should be able to modify begin/end to the port range that you are looking for. It may be blocking you because 49152-65535 are generally reserved for client devices on the network. Can you share your config?
I figured it out. Thank you so much for getting back to me. Its the darn VBS even though I unchecked it and thought I removed the settings off of the VM, I was still persistent. I had to rebuild the VM and that resoled my issue.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you so much for the script, is there a way to modify it to open all ports upward from 500-57000. I'm running ESXi and would like to use
5000
57000
ESXi 7 isn't loading my custom settings despite creating a custom XML which I placed in /etc/vmware/firewall/. I'm not too sure what am I doing wrong.
I'm running a bunch of containers on top of my ESXi and don't want to deal with create a custom.xml for each port required.
I rather just disable the firewall all together but it's not doable.