Proxmox Firewall Setup

This document describes how to configure the built-in firewall in Proxmox to enhance the security of virtual machines. Examples of typical scenarios, recommendations, and useful links are provided.

Introduction

Proxmox VE has a built-in firewall that allows you to segment and protect your virtual machine infrastructure.

Why it's important to use firewall in Proxmox

Firewall helps restrict unauthorized access, isolate services, and improve overall security of virtual machines and containers.

Main configuration steps

Enable firewall at datacenter level
Configure rules for nodes
Configure rules for virtual machines and containers

Example: Allow SSH only from specific IPs

SSH rule example
IN ACCEPT -source 203.0.113.0/24 -p tcp --dport 22

Security tips

Test rules on a test VM before implementing in production
Use specific source IPs instead of broad ranges
Regularly review and update firewall rules
Monitor firewall logs for suspicious activity

Advanced Configuration

Port-based filtering

IN DROP -p tcp --dport 3389
IN ACCEPT -source 192.168.1.0/24 -p tcp --dport 22

Protocol-based filtering

IN ACCEPT -p icmp
IN DROP -p udp --dport 53

Troubleshooting

Common Issues

Can't access VM: Check firewall rules and source IPs
Services not working: Verify port configurations
Performance issues: Review rule complexity

Debug Commands

# Check firewall status
pve-firewall status

# View firewall logs
journalctl -u pve-firewall

Best Practices

Start with restrictive rules and gradually open required ports
Use groups for similar VMs
Document all custom rules
Regular security audits
Keep Proxmox updated

Introduction​

Why it's important to use firewall in Proxmox​

Main configuration steps​

Example: Allow SSH only from specific IPs​

Security tips​

Advanced Configuration​

Port-based filtering​

Protocol-based filtering​

Troubleshooting​

Common Issues​

Debug Commands​

Best Practices​

Related Documentation​