B3RG - Objective 2.6 - Manage Service Console Firewall Configurations

Menu - VCDX

Recent Blog Postings

Recently I have migrated Virtual Machines from an existing ESX 3.5 environment to a new ESX 4 / vSphere environment. Because some of you will be performing the same thing in the coming months I wrote down some tips on the migration. Disclaimer; this is certainly not the only way and maybe not even .....

Add Banners

Objective 2.6 - Manage Service Console Firewall Configurations

Written by Matthijs van den Berg

Tuesday, 10 February 2009 15:03

KNOWLEDGE

Understand firewall rules
The firewall on a ESX server limits traffic from and to the ESX host on a TCP post basis. You can limit what ports are available but you cannot limit traffic based on source or destination IP address; all addresses are allowed.

To implement a policy that limits traffic based on IP addresses you can use TCP Wrappers. This however is not a standard configuration item and can only be configured from the command line. I prefer to use a firewall to limit traffic to the service console from the rest of the network however this can be a valuable add-on in high secure environments.

To allow the ESX host to communicate to the other systems on the network the firewall needs to opened up. There is a standard configuration to allow management traffic from and to the host for maintenance, HA, etc.
Explain the use of services in a firewall configuration
When you configure the firewall via the GUI you can easily enable and disable certain services by clicking in the checkbox in front of them. The services are preconfigured setting in a default VMware install. You can manually add services to the list in the GUI via the CLI using XML files. To do so please follow the instruction in this objective under the Skills and Abilities chapter.

Identify which ports must be open in a virtual infrastructure firewall configuration
For a VMware infrastructure to be fully operational some firewall ports must be open. I have compiled a list from a default install based on services:

Purpose	Service	Ports
SNMP Traps (optional, default open)	SNMP Server	Incoming – 161 (UDP) Outgoing – 162 (UDP)
VMware Virtual Center Management traffic	VMware VirtualCenter Agent	Outgoing – 902 (UDP)
Backup Proxy	VCB	Outgoing – 443, 902 (TCP)
License verification	VMware License Client	Outgoing – 27000, 27010 (TCP)
VMware HA	aam	Incoming – 2050-2250, 8042-8045 (TCP, UPD) Outgoing – 2050-2250, 8042-8045
CIM SLP	CIM SLP	Incoming – 427 (UDP) Outgoing – 427 (TCP)
SSH Remote CLI access	SSH Server	Outgoing – 22 (TCP)

SKILLS AND ABILITIES

Configure ESX Server firewall settings
Command Line
Use the esxcfg-firewall command line utility to add and remove firewall rules. After configuring a command line rule it is effective immediately. You can check the active firewall rules with
```
esxcfg-firewall –q
```
The most used options are:
```
--openPort <port,tcp|udp,in|out,name>
--closePort <port,tcp|udp,in|out>
```
VI client
In and outgoing traffic can be permitted via the VI Client :
- Select a ESX host
- Click configure
- Select Security Profile
- Click Properties.

All firewall rules are in configuration files on the ESX host. These files are in a XML layout making it easy to edit by hand. You can add a file with you own description an tcp / udp ports. The files can be found here (service mgmt-vmware restart needed after changing):
```
/etc/vmware/firewall/
```
TCP wrappers is used to allow and deny designated IP addresses or IP address ranges to services on the system. In the follwing example we only permit SSH access from one subnet.
TCP wrappers alow access:
Edit the /etc/ hosts.allow file on the VMware server via the Command Line:
```
nano /etc/ hosts.allow
```
You can add or delete hosts or subnets in this file. You can specify the host or subnet voor all services, or specify access to a specific service. The allow file is used to allow only designated IPs of subnets, the deny file is used to deny specified hosts or subnets. An example how to allow only a specified subnet SSH access (the SSH daemon, SSHD)is provided below.
```
sshd: 10.10.10.: ALLOW
sshd: ALL: DENY
```
The 10.10.10. represents a C class subnet. By leaving out digits from a complete address a subnet is defined. The ALL: DENY part is obligatory! If you leave this out all traffic will still be permitted! The most secure way is to deny all traffic (ALL: ALL in host.deny) and permit only traffic you want in host.allow. The VMware deamon is not included in the TCP wrapper rules!
More info can be found in the man pages: man hosts_access. Another way to limit traffic to the ESX host is to use xinetd and to include a only_from line in the config file. More info on this via man xinetd.conf .
Open and close ports
To open ports you can use the GUI for the predefined services or the CLI for additional ports:
GUI:
- Select a ESX host
- Click configure
- Select Security Profile
- Click Properties.
CLI:
I prefer to create a service (described above) and enable this service to deny / allow access. You can also open / close ports directly on the firewall via the CLI.
To open a port use:
```
esxcfg-firewall --openport <portnr>,<tcp/udp>,<in/out>,<name>
```
Example:
```
esxcfg-firewall --openport 1234,tcp,in, test
```
To close a port
```
esxcfg-firewall --closeport <portnr>,<tcp/udp>,<in/out>
```
Example:
```
esxcfg-firewall --closeport 1234,tcp,in
```
Monitor firewall logs
All firewall related messages are logged in the file:
```
/var/log/vmware/esxcfg-firewall.log
```
Permits, Denies and drops are logged. Also faulty changes to the firewall are logged. Example:
```
2009-02-10 14:52:33 (18869) ERROR:  OpenPort:  must specify port, direction, 
   protocol and name.
```

Tools

CLI
- esxcfg-firewall
VI client

< Prev