ESX3 Firewall and NFS Client
When you open the nfsClient service on the ESX 3.0.1 firewall, you are opening all outbound tcp and udp ports. Not a huge deal, but important to know. For some reason, the GUI lies. Here is the VIC connected directly to a 3.0.1 box. Notice the outgoing ports labeled as 111 and 2049.
>
Here is the section from /etc/vmware/firewall/services.xml on the same ESX host:
<service id="0004">
<id>nfsClient</id>
<rule id="0000">
<direction>outbound</direction>
<protocol>udp</protocol>
<port type="dst">111</port>
</rule>
<rule id="0001">
<direction>outbound</direction>
<protocol>udp</protocol>
<port type="dst">2049</port>
</rule>
<rule id="0002">
<direction>outbound</direction>
<protocol>udp</protocol>
<port type="dst">
<begin>0</begin>
<end>65535</end>
</port>
</rule>
<rule id="0003">
<direction>outbound</direction>
<protocol>tcp</protocol>
<port type="dst">111</port>
</rule>
<rule id="0004">
<direction>outbound</direction>
<protocol>tcp</protocol>
<port type="dst">2049</port>
</rule>
<rule id="0005">
<direction>outbound</direction>
<protocol>tcp</protocol>
<port type="dst">
<begin>0</begin>
<end>65535</end>
</port>
</rule>
</service>
So there was some effort to open only outbound tcp/udp 111 and 2049, but then ‘oh screw it’ – open tcp/udp 0 – 65535. .
When you look at the iptables results with nfsClient turned on, there all sorts of outbound rules. Two of the items in the list seem to stick out. The rest of the tcp/udp rules are redundant.
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
819K 179M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
83945 58M valid-tcp-flags tcp -- * * 0.0.0.0/0 0.0.0.0/0
9 1142 icmp-out icmp -- * * 0.0.0.0/0 0.0.0.0/0
910 60941 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53
83893 58M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:902 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
1 84 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111
1 156 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2049
8548 698K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp
2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049
92 5520 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:427
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:427 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:902 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:2050:5000 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:2050:5000 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:8042:8045 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:8042:8045 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:27000 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:27010 state NEW
1 40 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
I did double check things and found that the 2 lines in question go away when disabling the nfsClient rule. “esxcfg-firewall -d nfsClient”