Troubleshooting the ESXi Firewall

I’ve written previously about working with the ESXi firewall, including changing rules and setting security levels. This post will have a look at troubleshooting the ESXi firewall.

You can use both the vSphere client and esxcli to help you when troubleshooting.

Troubleshooting the ESXi Firewall using the vSphere Client

Using the vSphere client, go to the host’s Configuration tab, then click on Security Profile. Under ‘Firewall’, click properties to view the firewall rules:

Using this console you can enable and disable various services, and change where you want to allow connections to the host from, on a port/service basis:

Troubleshooting the ESXi Firewall with ESXCLI

ESXCLI offers a lot in terms of helping you troubleshoot the firewall. To start with you can view the status of the firewall by running:

~ # esxcli network firewall get
   Default Action: DROP
   Enabled: true
   Loaded: true

You can unload and load the firewall module, though the firewall will need to be disabled first, if you want to unload it:

~ # esxcli network firewall set --enabled false
~ # esxcli network firewall unload
~ # esxcli network firewall load

If it has been disabled, you can enable it with:

~ # esxcli network firewall set --enabled true

You can refresh the firewall’s loaded configuration by running:

~ # esxcli network firewall refresh

You can list the firewall rules by running:

~ # esxcli network firewall ruleset list
Name                Enabled
------------------  -------
sshServer              true
sshClient             false
nfsClient             false
dhcp                   true
dns                    true
snmp                   true

And list the rule settings with:

~ # esxcli network firewall ruleset rule list
Ruleset             Direction  Protocol  Port Type  Port Begin  Port End
------------------  ---------  --------  ---------  ----------  --------
sshServer           Inbound    TCP       Dst                22        22
sshClient           Outbound   TCP       Dst                22        22
nfsClient           Outbound   TCP       Dst                 0     65535
dhcp                Inbound    UDP       Dst                68        68
snmp                Inbound    UDP       Dst               161       161

You can view which IPs are allowed for a given ruleset by running:

~ # esxcli network firewall ruleset allowedip list
Ruleset             Allowed IP Addresses
------------------  --------------------
sshServer           All
sshClient           All
nfsClient           All
dhcp                All
dns                 All
snmp                10.10.10.1
ntpClient           All
CIMHttpServer       All

From the last two commands, we can see that there is an inbound rule for SNMP, using port 161, which will accept traffic from 10.10.10.1.

Testing Connectivity

To test connectivity to ports you have enabled you can use Netcat:

~ # nc -h
usage: nc [-46DdhklnrStUuvzC] [-i interval] [-p source_port]
          [-s source_ip_address] [-T ToS] [-w timeout] [-X proxy_version]
          [-x proxy_address[:port]] [hostname] [port[s]]
        Command Summary:
                -4              Use IPv4
                -6              Use IPv6
                -D              Enable the debug socket option
                -d              Detach from stdin
                -h              This help text
                -i secs         Delay interval for lines sent, ports scanned
                -k              Keep inbound sockets open for multiple connects
                -l              Listen mode, for inbound connects
                -n              Suppress name/port resolutions
                -p port         Specify local port for remote connects
                -r              Randomize remote ports
                -s addr         Local source address
                -T ToS          Set IP Type of Service
                -C              Send CRLF as line-ending
                -t              Answer TELNET negotiation
                -U              Use UNIX domain socket
                -u              UDP mode
                -v              Verbose
                -w secs         Timeout for connects and final net reads
                -X proto        Proxy protocol: "4", "5" (SOCKS) or "connect"
                -x addr[:port]  Specify proxy address and port
                -z              Zero-I/O mode [used for scanning]
        Port numbers can be individual or ranges: lo-hi [inclusive]

To test connectivity to a particular IP/Port you can run:

nc -z 192.168.1.1 80

Or you can test a range of ports with:

nc -w 1 -z 192.168.1.1 80-120

If you want to see what sessions are established you can run:

~ # esxcli network ip connection list
Proto  Recv Q  Send Q  Local Address       Foreign Address     State        World ID  World Name
-----  ------  ------  ------------------  ------------------  -----------  --------  ---------------
tcp         0       0  127.0.0.1:8307      127.0.0.1:51833     ESTABLISHED     13607  hostd-worker
tcp         0       0  127.0.0.1:51833     127.0.0.1:8307      ESTABLISHED     13605  hostd-worker
tcp         0       0  127.0.0.1:443       127.0.0.1:59976     ESTABLISHED      2944  hostd-worker
tcp         0       0  127.0.0.1:59976     127.0.0.1:443       ESTABLISHED     18188  python
tcp         0    1383  127.0.0.1:8307      127.0.0.1:51610     ESTABLISHED     13829  hostd-worker
tcp         0       0  127.0.0.1:51610     127.0.0.1:8307      ESTABLISHED      3188  vpxa-worker
tcp         0       0  127.0.0.1:62935     127.0.0.1:8307      TIME_WAIT           0
tcp         0       0  127.0.0.1:60718     127.0.0.1:443       TIME_WAIT           0
tcp         0       0  127.0.0.1:8307      127.0.0.1:59467     ESTABLISHED      2944  hostd-worker
tcp         0       0  127.0.0.1:59467     127.0.0.1:8307      ESTABLISHED      2944  hostd-worker
tcp         0       0  192.168.88.134:443  192.168.88.1:57758  ESTABLISHED      2991  hostd-worker