Proxmox Firewall Guide

Setting up a proper firewall can be a real hassle. But don’t be afraid, I’m here to help.

Step 1: Aliasses individual VMs

In order to keep things organized, we should first add aliasses for our individual VMs. For each node in your PVE system, look up the email address. After you have obtained a list of your VMs including name, add them to the aliasses list of the firewall. This can be found at Datacenter -> Firewall -> Alias. In this dashboard use the add button to add the alias for each device, by giving it a name and binding the IP/CIDR.

You can also add other relevant devices in this section, such as IP addresses of devices you will manage the Proxmox server from, such as your computer or mobile phone. Besides management devices you should also add an alias for the PVE node itself, as this may be needed as destination in the firewall at some point. Since i want to access my proxmox instance without an ip-address, i also added ‘mdns’ to this section, with IP 224.0.0.251.

Step 2: VM groups

After you have added aliasses, you can create groups for similar devices. This may for example be ‘management devices’ or, if you have multiple PVE nodes, ‘pvenodes’. These can be added at the same firewall section, under IPSet.

Step 3: Security Groups

Now that our devices are ready to be used, we can make some firewall rules for each VM. These rules can be difficult to setup, since you will need a thorough understanding of what is happening in your VM. As an easy example, i will take a Minecraft server, since the ports for this are well-known. We assume you have a VM running a minecraft server. This means the port 25565 should be exposed and possibly 3306 if there is a database connected. We should probably add a couple rules:

Say that you want to add SSH access for our managing the server using our management nodes. For this, we add a rule direction-in, with action ACCEPT, from source management nodes, which is an IPSet and should be in the dropdown. Our destination will be the alias ‘mcserver’, which you should have already made. Since SSH is a common port, we can use the macro dropdown for a shortcut of our port and choose SSH in this list.

Other rules you may consider:

1. SSH mgmts -> mcserver
2. UDP mgmts -> 25565, for direct server-joining capability of management nodes
3. TCP mgmts -> 25565, both needed.
4. Outgoing UDP connection: possibly through proxy manager: source proxy manager, destination mcserver on port 25565
5. Same as above but for TCP.

Step 4: Allow access to itself

Now that our rules are prepared, we can work towards enabling the firewall. However, we should first make sure we will be able to reach our proxmox-instance after enabling this. For this we should make a rule at datacenter->firewall. Make a rule from our management nodes to our pve nodes, or insert a security group which contains multiple rules including this rule. The rule should be from our management nodes, to pvenodes, on port 8006 TCP. The interface should probably be vmbr0, but may differ.

Make sure to enable the rules and put them on the top of the list. To block anything else, we can add another rule and make this direction IN, with action DROP. Be sure to have properly added the previous rule, as this may prevent you from accessing the proxmox interface if done improperly.

Step 5: Adding firewall rules to VMs

Now we just have to do one more step, which is adding the prepared rules to our VMs. In our case, the minecraft-VM. Go to this VM -> Firewall and insert the security group with the mc-access rules, to the top of the list and enable the rule. Under this rule add another rule, for dropping other traffic, as before, by using direction in and the DROP action. The interface for this should probably be net0, but may differ in your case.

Step 6: Enabling the firewall

Now that all rules are prepared, we can begin enabling the firewalls. You should know that the firewall is not one switch you can turn on, but is at different levels. You can begin enabling the firewall at VM-level, by changing the setting VM->Firewall->Options->Firewall and set this to yes. The firewall for this specific machine is now enabled.

Now we can enable the firewall for our whole proxmox-instance. This can be done at Datacenter->firewall->options->firewall and setting this to yes.

Step 7: Confirming correct settings

We can now try to access proxmox using our management devices, if everything went correctly they should still have access using the IP addresses you added. You can also try accessing it from a non ‘whitelisted’ ip address and confirm it does not have access.
We can also confirm the working of our firewall at the VM-level, by trying to join our minecraft server, or ping a specific port.