Setting Up Proxmox Firewalls: A Practical Guide

If you're running a homelab or managing virtualized infrastructure with Proxmox VE, one of the most important, and often overlooked, aspects is network security. While it's tempting to rely solely on your edge firewall or router, Proxmox includes a built-in firewall system that adds an extra layer of protection directly at the hypervisor and VM level.

In this post, we’ll walk through setting up and managing the Proxmox firewall to better secure your virtual environment.

Why Use the Proxmox Firewall?

The Proxmox firewall offers:

• Granular control: Apply rules at the datacenter, node, and VM/container levels.
• Isolation: Segment networks between VMs/CTs.
• Fail-safe design: Firewall runs independently of the VMs, ensuring rules apply even if a guest OS is compromised.
• Integrated UI: Configure rules directly from the Proxmox web interface or CLI.

Let’s get started.

1. Enable the Firewall in Proxmox

By default, the firewall is disabled. To begin using it:

• Navigate to Datacenter > Firewall.
• Click Options, then set Firewall to Yes.
• Repeat this process under Node > YourNodeName > Firewall > Options and also under each VM or CT.

This hierarchical setup allows you to define global rules while also setting node- and VM-specific policies.

2. Set Default Policies

Next, establish sensible default policies:

• At Datacenter > Firewall > Options, set:
  • Input Policy: DROP
  • Output Policy: ACCEPT

This ensures only explicitly allowed inbound connections are accepted, while allowing outbound traffic by default. Apply the same at the Node level.

Note: If you're accessing Proxmox over SSH or the web UI, make sure you whitelist your IP before enabling restrictive rules, or you’ll lock yourself out.

3. Define Datacenter-Level Rules

Datacenter-level rules apply across all nodes. This is a good place to allow essential management traffic, like:

# Allow SSH
IN ACCEPT -p tcp --dport 22 -s <your-ip>/32

# Allow Web UI
IN ACCEPT -p tcp --dport 8006 -s <your-ip>/32

# Ping (optional)
IN ACCEPT -p icmp

4. Configure Node-Level Rules

You can override or supplement datacenter rules per node. For example, if one node hosts VMs that shouldn't be reachable from your local network, you can drop all traffic except Proxmox management ports.

5. VM and Container Rules

One of the strengths of Proxmox’s firewall is VM-level rules. You can:

• Isolate test environments.
• Lock down exposed services.
• Restrict traffic between containers.

Example for a web server container:

# Allow HTTP/HTTPS
IN ACCEPT -p tcp --dport 80
IN ACCEPT -p tcp --dport 443

# Drop all other input traffic
IN DROP

This VM can now only accept traffic on ports 80 and 443.

6. Logging and Testing

Enable logging temporarily while testing:

• Under any rule, set Log Level to info or nolog when finalized.
• Use iptables -L on the node to view live rules.
• Use tools like nmap and curl from other hosts to confirm traffic behavior.

Tips & Best Practices

• Rule order matters: Rules are processed top-down. Place broad DROP rules last.
• Use IP sets: Group IPs/networks under Firewall > IP Sets for cleaner rules.
• Backup rules: Export rules via the CLI using pve-firewall localnet > backup.rules.
• Version control: Track changes with Git or your preferred system if using CLI config files.

Conclusion

Proxmox's firewall is a powerful, underutilized tool that can significantly enhance your infrastructure security without needing external appliances. By setting layered policies and VM-level rules, you reduce the risk of lateral movement and external exposure.