All firewall related configuration is stored on the proxmox cluster
file system. So those files are automatically distributed to all
cluster nodes, and the pve-firewall
service updates the underlying
iptables
rules automatically on changes.
You can configure anything using the GUI (i.e. Datacenter → Firewall, or on a Node → Firewall), or you can edit the configuration files directly using your preferred editor.
Firewall configuration files contain sections of key-value
pairs. Lines beginning with a #
and blank lines are considered
comments. Sections start with a header line containing the section
name enclosed in [
and ]
.
The cluster-wide firewall configuration is stored at:
/etc/pve/firewall/cluster.fw
The configuration can contain the following sections:
[OPTIONS]
ebtables
: <boolean>
(default = 1
)
enable
: <integer> (0 - N)
log_ratelimit
: [enable=]<1|0> [,burst=<integer>] [,rate=<rate>]
Log ratelimiting settings
burst
=<integer> (0 - N)
(default = 5
)
enable
=<boolean>
(default = 1
)
rate
=<rate>
(default = 1/second
)
policy_in
: <ACCEPT | DROP | REJECT>
policy_out
: <ACCEPT | DROP | REJECT>
[RULES]
[IPSET <name>]
[GROUP <name>]
[ALIASES]
The firewall is completely disabled by default, so you need to set the enable option here:
[OPTIONS] # enable firewall (cluster-wide setting, default is disabled) enable: 1
If you enable the firewall, traffic to all hosts is blocked by default. Only exceptions is WebGUI(8006) and ssh(22) from your local network.
If you want to administrate your Proxmox VE hosts from remote, you need to create rules to allow traffic from those remote IPs to the web GUI (port 8006). You may also want to allow ssh (port 22), and maybe SPICE (port 3128).
Please open a SSH connection to one of your Proxmox VE hosts before enabling the firewall. That way you still have access to the host if something goes wrong .
To simplify that task, you can instead create an IPSet called “management”, and add all remote IPs there. This creates all required firewall rules to access the GUI from remote.
Host related configuration is read from:
/etc/pve/nodes/<nodename>/host.fw
This is useful if you want to overwrite rules from cluster.fw
config. You can also increase log verbosity, and set netfilter related
options. The configuration can contain the following sections:
[OPTIONS]
enable
: <boolean>
log_level_in
: <alert | crit | debug | emerg | err | info | nolog | notice | warning>
log_level_out
: <alert | crit | debug | emerg | err | info | nolog | notice | warning>
log_nf_conntrack
: <boolean>
(default = 0
)
ndp
: <boolean>
(default = 0
)
nf_conntrack_allow_invalid
: <boolean>
(default = 0
)
nf_conntrack_max
: <integer> (32768 - N)
(default = 262144
)
nf_conntrack_tcp_timeout_established
: <integer> (7875 - N)
(default = 432000
)
nf_conntrack_tcp_timeout_syn_recv
: <integer> (30 - 60)
(default = 60
)
nosmurfs
: <boolean>
protection_synflood
: <boolean>
(default = 0
)
protection_synflood_burst
: <integer>
(default = 1000
)
protection_synflood_rate
: <integer>
(default = 200
)
smurf_log_level
: <alert | crit | debug | emerg | err | info | nolog | notice | warning>
tcp_flags_log_level
: <alert | crit | debug | emerg | err | info | nolog | notice | warning>
tcpflags
: <boolean>
(default = 0
)
[RULES]
VM firewall configuration is read from:
/etc/pve/firewall/<VMID>.fw
and contains the following data:
[OPTIONS]
dhcp
: <boolean>
(default = 0
)
enable
: <boolean>
(default = 0
)
ipfilter
: <boolean>
log_level_in
: <alert | crit | debug | emerg | err | info | nolog | notice | warning>
log_level_out
: <alert | crit | debug | emerg | err | info | nolog | notice | warning>
macfilter
: <boolean>
(default = 0
)
ndp
: <boolean>
(default = 0
)
policy_in
: <ACCEPT | DROP | REJECT>
policy_out
: <ACCEPT | DROP | REJECT>
radv
: <boolean>
[RULES]
[IPSET <name>]
[ALIASES]