When firewall rules are changed after VMware High Availability (HA) traffic, migration, cloning, patching, or vMotion, you might need to configure the firewall defaults for esxcfg-firewall.

Modifying firewall default rules for the service console using any command or utility other than esxcfg-firewall is not supported. If you modify default rules and then attempt to access the service console through the firewall with any tools or utilities, the firewall might revert to its default configuration when your actions are complete. For example, configuring HA on a host causes the firewall to revert to the default configuration specified by esxcfg-firewall if you have modified the rules by using a command other than esxcfg-firewall.

In most cases, you do not need to change default firewall rules for the service console. If you modify the defaults by using a Linux command, your changes will be ignored and overwritten by the defaults specified for that service by the esxcfg-firewall command. If you want to change the defaults for a supported service, or define defaults for additional service types, you can modify or add to the rules in /etc/vmware/firewall/chains/default.xml.


Log in to the service console with administrator privileges.


Edit the /etc/vmware/firewall/chains/default.xml file to correspond to your security policies.


Restart the service console firewall by using service firewall restart command.


Use the esxcfg-firewall-e|d SERVICE command to check that the specified services are correctly enabled or disabled.

You can modify the firewall defaults for each of the service types according to your own security policies. For example, the following rules in the /etc/vmware/firewall/chains/default.xml file determine the firewall rules for the INPUT chain:

  <chain name="INPUT">
    <rule>-p tcp --dport 80 -j ACCEPT</rule>
    <rule>-p tcp --dport 110 -j ACCEPT</rule>
    <rule>-p tcp --dport 25 -j ACCEPT</rule>