ESXi includes a firewall between the management interface and the network. The firewall is enabled by default. At installation time, the ESXi firewall is configured to block incoming and outgoing traffic, except traffic for the default services, such as NFS.

Supported services, including NFS, are described in a rule set configuration file in the ESXi firewall directory /etc/vmware/firewall/. The file contains firewall rules and lists each rule's relationship with ports and protocols.

The behavior of the NFS Client rule set (nfsClient) is different from other rule sets. When the NFS Client rule set is enabled, all outbound TCP ports are open for the destination hosts in the list of allowed IP addresses.

The NFS 4.1 rule set opens outgoing connections to destination port 2049, which is the port named in the specification for version 4.1 protocol. The outgoing connections are open for all IP addresses at the time of the first mount. This port remains open until the ESXi host is rebooted.

For more information about firewall configurations, see the vSphere Security documentation.