# Integrated Firewall

Proxmox includes a built-in firewall that can be configured at the Datacenter, Node, and VM/Container level.

#### Firewall Hierarchy

- **Datacenter** — rules that apply to all nodes in the cluster
- **Node** — rules specific to the Proxmox host itself
- **VM/Container** — rules specific to individual VMs/containers

#### Enabling the Firewall

1. Go to Datacenter > Firewall > Options
2. Set Firewall to Yes (Enabled)
3. Do the same for your node: Node > Firewall > Options
4. For a specific VM/Container: select it > Firewall > Options > Enable

<span style="color: rgb(224, 62, 45);">Warning</span>: Always create rules to allow SSH (port 22) and the Proxmox web UI (port 8006) BEFORE enabling the firewall, or you may lock yourself out.

#### Creating Firewall Rules

1. Go to the relevant level (Datacenter, Node, or VM)
2. Go to **Firewall** &gt; **Add**
3. Configure the rule:  
     • Direction: in (incoming) or out (outgoing)  
     • Action: Accept, Drop, or Reject  
     • Protocol: TCP, UDP, ICMP, etc.  
     • Source / Destination IP: leave blank for any, or specify an IP range  
     • Dest. Port: e.g., 22 for SSH, 8006 for Proxmox UI, 80/443 for web  
     • Comment: add a description for the rule
4. Click **Add**

#### Security Groups

Security groups are reusable sets of firewall rules. Create a group once and apply it to multiple VMs.

1. Datacenter &gt; Firewall &gt; Security Group &gt; Create
2. Name the group (e.g., web-servers)
3. Add rules to the group
4. Apply the group to individual VMs in their firewall settings