13.8. Default firewall rules

The following traffic is filtered by the default firewall configuration:

If the input or output policy for the firewall is set to DROP or REJECT, the following traffic is still allowed for all Proxmox VE hosts in the cluster:

The following traffic is dropped, but not logged even with logging enabled:

The rest of the traffic is dropped or rejected, respectively, and also logged. This may vary depending on the additional options enabled in FirewallOptions, such as NDP, SMURFS and TCP flag filtering.

Please inspect the output of the

 # iptables-save

system command to see the firewall chains and rules active on your system. This output is also included in a System Report, accessible over a node’s subscription tab in the web GUI, or through the pvereport command line tool.

This drops or rejects all the traffic to the VMs, with some exceptions for DHCP, NDP, Router Advertisement, MAC and IP filtering depending on the set configuration. The same rules for dropping/rejecting packets are inherited from the datacenter, while the exceptions for accepted incoming/outgoing traffic of the host do not apply.

Again, you can use iptables-save (see above) Section 13.8.1, “Datacenter incoming/outgoing DROP/REJECT” to inspect all rules and chains applied.