VMware ESXi Hardening
Unlike iptables, VMware ESXi firewall rules are not inherently persistent.
If Survive Reboot = FALSE, changes won’t be retained after a reboot.
However, you can make them persistent by adding the appropriate esxcli commands
to the ESXi startup script:
/etc/rc.local.d/local.sh
You should always run VMware ESXi with a default-deny policy, allowing only whitelisted IPs — especially for SSH access.
Equally important is to disable any services that are not in use to further harden security.
VMware ESXi built in firewall
esxcli network firewall getshows a list of all firewall rulesets configured on your ESXi host.
The name of the ruleset (e.g., `sshServer`, `vSphereClient`, `httpClient`)
Whether the ruleset is enabled (i.e., if the firewall rule is active and the associated port is open)
Whether the ruleset’s enable/disable state is configurable
Whether allowed IPs are configurable for that ruleset
esxcli network firewall ruleset listRestrict outbound HTTP access on ESXi by disabling “allow all” and defining only specific trusted IPs.
To improve security on VMware ESXi, it’s recommended to disable unrestricted HTTP client access and allow only specific IP addresses. This ensures that package downloads and updates can only be performed from approved management hosts or proxies.
1️⃣ Disable “Allow All”
esxcli network firewall ruleset set --ruleset-id=httpClient --allowed-all=false
2️⃣ Add Allowed IP Addresses
esxcli network firewall ruleset allowedip add --ruleset-id=httpClient --ip-address=1.1.1.1
esxcli network firewall ruleset allowedip add --ruleset-id=httpClient --ip-address=1.0.0.1
3️⃣ Enable the HTTP Ruleset (if not already enabled)
esxcli network firewall ruleset set --ruleset-id=httpClient --enabled=true
4️⃣ Reload the Firewall (if needed)
esxcli network firewall refresh
✅ Result: Only specified IPs will be able to connect via the HTTP client service, providing tighter control and minimizing exposure to unauthorized outbound traffic.
List Firewall Rules
Displays the active allowed IP rules.
esxcli network firewall ruleset allowedip list --ruleset-id httpClient
Displays open ports and listening IP addresses.
Shows which network ports are open and actively listening, along with the corresponding IP addresses bound to each port on your ESXi host.
esxcli network ip connection list | grep -i listen
Displays all ESXi firewall rulesets with default and persistence details.
If Survive Reboot = FALSE: The ruleset’s state (enabled/disabled) does not persist after a reboot.
If Default = TRUE: The ruleset is enabled by default when the host boots or when no custom override exists.
Ruleset Name: Unique identifier used for ESXi firewall operations.
Firewall Name: Human-readable alias describing the service associated with the ruleset.
📌 Key Points About Ruleset Order:
Purpose: Controls how rules are displayed in CLI/UI.
Not a Priority: Does not affect enforcement priority like in iptables.
User Editable: Not directly configurable by esxcli; defined by VMware or VIB packages.
Value Type: Integer (0–N), visible in CLI output or exported configs.
📌 Key Clarifications:
In-Ord: Order in which inbound firewall rules are internally evaluated.
Not Boot Order: It does not reflect startup or boot priority.
Paired with Out-Ord: Helps organize rules logically for both directions.
Default Survive Reboot Ruleset Name Ruleset Order Firewall Name In-Ord In Ports (TCP/UDP) Out-Ord Out Ports (TCP/UDP)
TRUE FALSE CIMHttpServer 1 CIM Server 1 5988 (TCP)
TRUE FALSE CIMHttpsServer 2 CIM Secure Server 2 5989 (TCP)
TRUE FALSE CIMSLP 3 CIM SLP 3 427 (TCP,UDP) 1 427 (TCP,UDP)
TRUE FALSE DHCPv6 4 DHCPv6 4 546 (TCP,UDP) 2 547 (TCP,UDP)
TRUE FALSE DVFilter 5 DVFilter 5 2222 (TCP)
TRUE FALSE DVSSync 6 DVSSync 6 8301,8302 (UDP) 3 8301,8302 (UDP)
TRUE FALSE HBR 7 HBR 7 44046,31031 (TCP) 4 44046 (TCP)
TRUE FALSE NFC 8 NFC 8 902 (TCP) 5 902 (TCP)
TRUE FALSE WOL 9 WOL 10 68 (UDP) 6 9 (UDP)
FALSE FALSE activeDirectoryAll 10 Active Directory All — 2020 (TCP) 7 464,389,3268,389,88,137,123,7476,445 (TCP,UDP)
FALSE FALSE dhcp 11 DHCP Client — 68 (UDP) 8 68 (UDP)
FALSE FALSE dns 12 DNS Client — 53 (UDP) 9 53 (TCP,UDP)
FALSE FALSE esxupdate 13 esxupdate — 443 (TCP) 11 443 (TCP)
FALSE FALSE ftpClient 14 FTP Client — 20 (TCP) 14 21 (TCP)
FALSE FALSE gdbserver 15 gdbserver — 1000,50000 (TCP)
FALSE FALSE httpClient 16 httpClient — 80,443 (TCP)
FALSE FALSE ipfam 17 NSX Distributed Logical Router — 6999 (UDP) 17 6999 (UDP)
FALSE FALSE nfs41Client 18 nfs41Client
FALSE FALSE ntpClient 19 NTP Client — 123 (UDP) 20 123 (UDP)
FALSE FALSE pvrdma 20 pvrdma — 28250 (TCP) 21 28250 (TCP)
FALSE FALSE rabbitmqproxy 21 rabbitmqproxy — 5671 (TCP)
FALSE FALSE remoteSerialPort 22 VM Serial Port (Network) — 1024,23 (TCP)
FALSE FALSE snmp 23 SNMP Server — 161 (UDP)
FALSE FALSE sshClient 24 SSH Client — 22 (TCP)
FALSE FALSE sshServer 25 SSH Server — 22 (TCP)
FALSE FALSE syslog 26 syslog — 514,1514 (UDP,TCP)
TRUE FALSE updateManager 27 vCenter Update Manager — 80,9000 (TCP)
TRUE FALSE vMotion 28 vMotion — 8000 (TCP) 28 8000 (TCP)
TRUE FALSE vSPC 29 VM Serial Port to vSPC
TRUE FALSE vSphereClient 30 vSphere Web Client — 902,443 (TCP)
TRUE FALSE vsanEncryption 31 vSAN Encryption
TRUE FALSE wold 32 wold
TRUE FALSE webAccess 33 vSphere Web Access — 80 (TCP)
TRUE FALSE fdm — Fault Tolerance — 8300 (TCP) — 8300 (TCP)
TRUE FALSE fdm — vSphere HA Agent — 8182 (UDP,TCP) — 8182 (UDP,TCP)
TRUE FALSE iolfiltervp — iolfiltervp — 9080 (TCP)
FALSE FALSE nfsClient — NFS Client
FALSE FALSE iscsiClient — Software iSCSI Client — 3260 (TCP)
FALSE FALSE vit — vit — 3260 (TCP)
FALSE FALSE vsanClustering — vSAN Clustering — 12345,12321,23451 (UDP) — 12345,12321,23451 (UDP)
FALSE FALSE vsanTransport — vSAN Transport — 2233 (TCP) — 2233 (TCP)
FALSE FALSE vsanhealth-unicast — vSAN Health Unicast Test — 5010 (UDP) — 5010 (UDP)
FALSE FALSE vsanvp — vsanvp — 8080 (TCP) — 8080 (TCP)
TRUE TRUE vpxa — VMware vCenter Agent — 902 (UDP)
VMware ESXi SSH server configuration file.
⚙️ Note: The nano text editor does not exist on ESXi.
Use vi to edit configuration files such as /etc/ssh/sshd_config.
This file controls how SSH behaves on your ESXi host.
cat /etc/ssh/sshd_config
# Do not edit this file, config store overwrites it.
# This file contains the Server Config for SSH.
# Running from inetd.
# VMware ESXi - 8.0.2-0.0.22380479
# Work in progress!