Purpose
Some environments have requirements for the ports utilized by a particular service. This method provides a workaround to allow ESXi 5.x to use a different port for SSH.
Resolution
When making modifications, they are not normally persistent across reboots, you need a place holder where you can put the files to be able to copy them at boot time, a VMFS volume, for example.
- Open the required firewall ports. For more information, see User defined xml firewall configurations are not persistent across ESXi host reboots (2007381).
This example shows a rule set .xml file to open TCP, port 2222:
SSH 2222
inbound
tcp
dst
2222
true
false - Copy /etc/services to permanent storage (it can be on the same location as the firewall rules are stored, such as /vmfs/volumes/datastore1/hostname_etc/).
- Edit the copy of services on permanent storage to and change the port for SSH.
ssh 2222/tcp # SSH Remote Login Protocol
ssh 2222/udp # SSH Remote Login Protocol - Edit /etc/rc.local so the created files are copied back to host at boot time. These example lines would be added at the end of the file:
#Copy the new firewall rule from vmfs place holder to file system
cp /vmfs/volumes/datastore1/etc/ssh_2222.xml/etc/vmware/firewall/
#refresh firewall rules
esxcli network firewall refresh
#Copy the modified services file from vmfs place holder to file system
cp /vmfs/volumes/datastore1/etc/services/etc/services
#Restart inetd to get the changes
kill -HUP `cat /var/run/inetd.pid` - Reboot the host, and attempt to connect to the host on the chosen port to verify that the changes were successful.
Based on VMware KB 2011818
