Skip to main content

Integrated Firewall

Proxmox includes a built-in firewall that can be configured at the Datacenter, Node, and VM/Container level.

Firewall Hierarchy

  • Datacenter — rules that apply to all nodes in the cluster
  • Node — rules specific to the Proxmox host itself
  • VM/Container — rules specific to individual VMs/containers

Enabling the Firewall

  1. Go to Datacenter > Firewall > Options
  2. Set Firewall to Yes (Enabled)
  3. Do the same for your node: Node > Firewall > Options
  4. For a specific VM/Container: select it > Firewall > Options > Enable

Warning: Always create rules to allow SSH (port 22) and the Proxmox web UI (port 8006) BEFORE enabling the firewall, or you may lock yourself out.

Creating Firewall Rules

  1. Go to the relevant level (Datacenter, Node, or VM)
  2. Go to Firewall > Add
  3. Configure the rule:
        • Direction: in (incoming) or out (outgoing)
        • Action: Accept, Drop, or Reject
        • Protocol: TCP, UDP, ICMP, etc.
        • Source / Destination IP: leave blank for any, or specify an IP range
        • Dest. Port: e.g., 22 for SSH, 8006 for Proxmox UI, 80/443 for web
        • Comment: add a description for the rule
  4. Click Add

Security Groups

Security groups are reusable sets of firewall rules. Create a group once and apply it to multiple VMs.

  1. Datacenter > Firewall > Security Group > Create
  2. Name the group (e.g., web-servers)
  3. Add rules to the group
  4. Apply the group to individual VMs in their firewall settings
Back to top