How To Configure Proxmox VE Firewall

Jan 9, 2023 · 3 mins read
How To Configure Proxmox VE Firewall

In the video below, we show you how to configure the firewall in Proxmox VE

Unlike some other hypervisors you’ll come across, Proxmox VE has a built in firewall

This can restrict access to your hypervisor without having to purchase or install any additional software

The firewall also allows you to restrict access to your virtual machines, which is especially useful if an operating system doesn’t have a software firewall

But more importantly we’re talking about local access such as the traffic between the VMs

This is the sort of traffic your dedicated firewall appliance doesn’t see and so can’t control

And this is extremely helpful because it gives us another layer of security

Useful links:

Steps Taken:
The firewall is disabled by default, but before you enable it, you should create rules to allow management access to your hypervisors. This is because once enabled, the hypervisor firewall will become active

Typically these should allow access to TCP port 8006 (GUI) and 22 (SSH) and if you use SPICE, port 3128

You can apply rules on individual hypervisors or for better management purposes at the Data Center level

In addition, rules should be created to allow access between the hypervisors themselves for TCP ports 8006 and 22

Although the firewall has an implicit deny rule, this does not block local management access nor does it log traffic being dropped so it is best to create an explicit deny rule as your last rule and log any hits

The firewall can then be enabled by navigating to Datacenter | Firewall | Options, selecting Firewall then clicking Edit, enabling the firewall and clicking OK

If you do lock yourself out, using console access or an SSH session if possible, you can disable the firewall entirely

nano /etc/pve/firewall/cluster.fw
Change the value to 0, then save the file

Alternatively you can stop the firewall service on a hypervisor through the CLI to regain access to that hypervisor

pve-firewall stop
Once you have fixed the problem you should then restart it
pve-firewall start

Other interfaces on the hypervisor should also restrict inbound access. A storage interface usually only needs outbound access so can drop all inbound traffic. The firewall has built in rules for cluster traffic so all inbound traffic for that interface can also be dropped

You can create an Alias to represent an IP address or entire subnet so that you can then use names instead of IP addressing in rules

Networks and hosts can also be grouped together by creating IP Sets to reduce the number of rules needed

Better still, you can consolidate rules together by creating Security Groups which you can then apply

The firewall can also be configured on virtual machines but requires the rules to be applied to each individual VM

NOTE: You can create rules for VMs at a Data Center or hypervisor level, but placing them there won’t have any affect

Each VM can have its own Alias' and IP Sets, but for better management purposes you can use ones created at the Data Center level

Better still, you can apply Security Groups created at the Data Center level to a VM, meaning you only need to create one once and you can then use it on any VM

The firewall does have a built in implicit deny rule and it will block local access, but as this does not log any hits it is better to create an explicit deny rule at the end to do logging

Each hypervisor and VM has a firewall log you can check in the GUI, but you can also run the following command from the CLI tail /var/log/pve-firewall.log

You can also find the rules for hypervisors and VMs in the /etc/pve/firewall/ folder on a hypervisor

Sharing is caring!