Home‎ > ‎

How to : Open specific ports in vCSA 6.0

VMware released vCenter 6.0 in 2015. Like every other "excited" technology people, we were excited to see what changes were made. After we upgraded to vCenter 6.0, we noticed that while it was more locked down, but its shell could still give us more access.

VMware provides instructions on how to use their 'firewall' functionality. But it only allows adding an ip, or ip range to the allowed list of systems that can communicate with vCenter.

I hate to say that it doesn’t allow you to open a port. That was a problem since one of our application wants to use different ports for communication. We needed to open that ports and that proved to be harder than we thought.

However, there are some shortcuts, you can use a iptables command for temporary addition of firewall rule. But that won't be persistent unless you save the iptables and save the existing file and ask the operating system to load the iptables from it. But wait, I really do not want to take so much of pain.

Let's get open some ports.


1. Login in to the vCSA appliance using SSH

2. Enter command "shell.set --enabled true" and "shell" to enable shell access.

3. Browse to directory "/etc/vmware/appliance/firewall/"

4. Create a new file by the name "ServiceName" by using command "vi ServiceName"

5. Now, the above command will open up a new file. Insert the following entries in the newly created file

NOTE - In my following example, I am using ports 100 to 150. You can use required ports as you see fit-in.

{

 "firewall":{

         "enable":true,

         "rules":[

         {

                "direction":"inbound",

                "protocol":"tcp",

                "porttype":"dst",

                "port":"48000:48050",

                "portoffset":0

         },

       {

                "direction":"inbound",

                "protocol":"udp",

                "porttype":"dst",

                "port":"100:150",

                "portoffset": 0

       }

   ]

 }

}

 

6. To Save and exit, press escape key and use option :wq! or :wq and click Enter.

7. Once step 6 is completed, run the following command to reload the firewall rules.

         /usr/lib/applmgmt/networking/bin/firewall-reload

 

8. To check the firewall is in place, use command iptables --list from the vcsa

 

Comments