In this video, we show you how to configure the firewall in Proxmox VE Unlike some other hypervisors you'll come across, Proxmox VE has a built in firewall This can restrict access to your hypervisor without having to purchase or install any additional software The firewall also allows you to restrict access to your virtual machines, which is especially useful if an operating system doesn't have a software firewall But more importantly we're talking about local access such as the traffic between the VMs This is the sort of traffic your dedicated firewall appliance doesn't see and so can't control And this is extremely helpful because it gives us another layer of security ============================= SUPPORT THE CHANNEL Donate through Paypal: Donate through Buy Me A Coffee: Become a monthly contributor on Patreon: Become a monthly contributor on YouTube: ============================== ============================== MEDIA LINKS: Website - Twitter - Facebook - Linkedin - Instagram - ============================== Steps Taken The firewall is disabled by default, but before you enable it, you should create rules to allow management access to your hypervisors. This is because once enabled, the hypervisor firewall will become active Typically these should allow access to TCP port 8006 (GUI) and 22 (SSH) and if you use SPICE, port 3128 You can apply rules on individual hypervisors or for better management purposes at the Data Center level In addition, rules should be created to allow access between the hypervisors themselves for TCP ports 8006 and 22 Although the firewall has an implicit deny rule, this does not block local management access nor does it log traffic being dropped so it is best to create an explicit deny rule as your last rule and log any hits The firewall can then be enabled by navigating to Datacenter | Firewall | Options, selecting Firewall then clicking Edit, enabling the firewall and clicking OK If you do lock yourself out, using console access or an SSH session if possible, you can disable the firewall entirely nano /etc/pve/firewall/ Change the value to 0, then save the file Alternatively you can stop the firewall service on a hypervisor through the CLI to regain access to that hypervisor pve-firewall stop Once you have fixed the problem you should then restart it pve-firewall start Other interfaces on the hypervisor should also restrict inbound access. A storage interface usually only needs outbound access so can drop all inbound traffic. The firewall has built in rules for cluster traffic so all inbound traffic for that interface can also be dropped You can create an Alias to represent an IP address or entire subnet so that you can then use names instead of IP addressing in rules Networks and hosts can also be grouped together by creating IP Sets to reduce the number of rules needed Better still, you can consolidate rules together by creating Security Groups which you can then apply The firewall can also be configured on virtual machines but requires the rules to be applied to each individual VM NOTE: You can create rules for VMs at a Data Center or hypervisor level, but placing them there won't have any affect Each VM can have its own Alias' and IP Sets, but for better management purposes you can use ones created at the Data Center level Better still, you can apply Security Groups created at the Data Center level to a VM, meaning you only need to create one once and you can then use it on any VM The firewall does have a built in implicit deny rule and it will block local access, but as this does not log any hits it is better to create an explicit deny rule at the end to do logging Each hypervisor and VM has a firewall log you can check in the GUI, but you can also run the following command from the CLI tail /var/log/ You can also find the rules for hypervisors and VMs in the /etc/pve/firewall/ folder on a hypervisor Chapters 00:00 Intro 00:53 Overview 03:06 Enable Firewall 07:37 Fix Lock Out 10:42 Hypervisor Rules 27:03 Alias 28:30 IP Set 29:49 Security Group 34:24 Hypervisor Rules Warning 35:31 Virtual Machine Rules 45:07 Logging & Troubleshooting Credits LoveLife | Instrumental Prod. Blue Mango | by Don Da Vinci proxmox firewall configuration,proxmox firewall rules,proxmox firewall example,proxmox firewall cli,proxmox firewall command line,proxmox firewall settings,proxmox firewall disable,proxmox firewall best practices,proxmox firewall,configure proxmox firewall,proxmox configure firewall,proxmox setup firewall