Integrated Firewall

Proxmox includes a built-in firewall that can be configured at the Datacenter, Node, and VM/Container level. 
 
 Firewall Hierarchy 
 
 Datacenter — rules that apply to all nodes in the cluster 
 Node — rules specific to the Proxmox host itself 
 VM/Container — rules specific to individual VMs/containers 
 
 
 Enabling the Firewall 
 
 Go to Datacenter > Firewall > Options 
 Set Firewall to Yes (Enabled) 
 Do the same for your node: Node > Firewall > Options 
 For a specific VM/Container: select it > Firewall > Options > Enable 
 
 Warning : Always create rules to allow SSH (port 22) and the Proxmox web UI (port 8006) BEFORE enabling the firewall, or you may lock yourself out. 
 
 Creating Firewall Rules 
 
 
 Go to the relevant level (Datacenter, Node, or VM) 
 Go to Firewall > Add 
 Configure the rule:     • Direction: in (incoming) or out (outgoing)     • Action: Accept, Drop, or Reject     • Protocol: TCP, UDP, ICMP, etc.     • Source / Destination IP: leave blank for any, or specify an IP range     • Dest. Port: e.g., 22 for SSH, 8006 for Proxmox UI, 80/443 for web     • Comment: add a description for the rule 
 Click Add 
 
 
 Security Groups 
 Security groups are reusable sets of firewall rules. Create a group once and apply it to multiple VMs. 
 
 Datacenter > Firewall > Security Group > Create 
 Name the group (e.g., web-servers) 
 Add rules to the group 
 Apply the group to individual VMs in their firewall settings