Firewall Configuration
Configure Proxmox VE firewall rules at the datacenter, node, and VM level.
Firewall Configuration
Proxmox VE includes a built-in stateful firewall that operates at three levels: datacenter, node, and VM/container.
Firewall levels
| Level | Scope | Location |
|---|---|---|
| Datacenter | All nodes and VMs | Datacenter → Firewall |
| Node | A single node (host firewall) | Node → Firewall |
| VM/CT | A single VM or container | VM → Firewall |
Rules are evaluated from most specific (VM) to least specific (Datacenter). VM firewall must be enabled in VM → Firewall → Options.
Enable firewall
Enable the firewall for a VM:
- Go to VM → Firewall → Options
- Set Firewall to
Yes - Click Save
Add firewall rules
Go to VM → Firewall → Add:
| Field | Description |
|---|---|
| Direction | in (incoming) or out (outgoing) |
| Action | ACCEPT, DROP, or REJECT |
| Protocol | tcp, udp, icmp, etc. |
| Source/Dest | IP, CIDR, or security group |
| Dest. port | Port number or range (e.g., 80, 443, 8000-9000) |
Common rules
Allow SSH from a specific IP:
Direction: in
Action: ACCEPT
Protocol: TCP
Source: 192.168.1.0/24
Dest. port: 22Allow HTTPS from anywhere:
Direction: in
Action: ACCEPT
Protocol: TCP
Dest. port: 443Security groups
Security groups are reusable sets of rules. Create them in Datacenter → Firewall → Security Groups and apply them to multiple VMs.
# Create a security group via CLI
pvesh create /cluster/firewall/groups --group webservers --comment "Web server rules"
pvesh create /cluster/firewall/groups/webservers/rules --type in --action ACCEPT --proto tcp --dport 80
pvesh create /cluster/firewall/groups/webservers/rules --type in --action ACCEPT --proto tcp --dport 443IP sets
IP sets are named lists of IPs/CIDRs. Create them in Datacenter → Firewall → IP Sets:
management-ips: 10.0.0.0/8, 192.168.1.5Reference in rules as +management-ips in the source/destination field.
Default policy
Set the default policy in VM → Firewall → Options:
- Default policy in:
DROP(recommended, block all unless allowed) - Default policy out:
ACCEPT(allow all outbound by default)
Node-level firewall
The node firewall protects the Proxmox management interface (port 8006) and SSH (port 22). Cloud-PVE pre-configures node firewall rules. Contact support before modifying them.