This is a companion article to the previous one about the networking setup for proxmox when you only have a single public IP address (e.g in a data center). Setting up the firewall of proxmox is a crucial step when you try to harden your server. This is especially necessary when your server is publicly available, more so if you host public services.
IMPORTANT: At first create all firewall rules without enabling it. Otherwise you will lock yourself out. Just follow this article and you will have no trouble.
Setup
We will start editing the rules from top to bottom. First select the firewall (2) option on the Datacenter (1) level on the left to create a security group (3). A security group contains multiple firewall rules which can easily be applied to multiple vms/container. To accomplish it you just have to click create (4) in the left column and type in a name. If the security group is selected you can add a specific rule to this group. Just use the button add (5) in the right column.
The following dialog should be presented to you:
Here you can specify which rules should be applied to the firewall. I recommend creating a group for servers which host a website to shrink both rules for http and https into one group. I personally would also add a group for standard administration protocols/ports such as allowing icmp messages for pings. When you create your own rules don’t forget to check the enable box. Otherwise those rules will be ignored when the firewall gets activated. Leave a comment if you wish a more detailed explanation of editing firewall rules.
Next we can apply the security groups by selecting a specific VM or Proxmox node, then the firewall option and then the “Insert: Security Group”. In the dialog that opens, choose from your created groups and check the enable box next to it. To apply the changes click add.
Of course it’s would be very impractical if you had to create a group for single rules. If only a single rules needs to be added just select the specific VM or Proxmox node, then the firewall option and then the “Add” Button. You should see the same dialog as if you were adding a rule to a security group.
One very important rule you should definitely add to your Proxmox node and your Datacenter is to allow access to your WebUI. The rule should look like this:
Depending on your preferences ssh access to your Datacenter/Proxmox node may be required. The rule to achieve this look like this:
Note that it is not required to add a rule on Proxmox Node level or even Datacenter level to allow a guest to use a special port. Imagine a container which requires port 12345, just add the rule for port 12345 to the container but not to the Datacenter.
Before you activate the firewall in the next step double check that you added and enabled the rule for the WebUI to the Datacenter and Proxmox node settings. Every other rule can be added/changed afterwards if something was set wrong. But those two are VERY important.
When every thing is confirmed to be correct go ahead and enable the firewall from top to bottom. Begin with the Datacenter. Go to Datacenter-> Firewall -> Options and change the option Firewall to “Yes”. Continue with the Proxmox node (Node->Firewall->Options->Firewall: “Yes”).
Recover
If you should encounter connection issues after activating the firewall it’s laborious to recover. Luckily there is still a way. First of all check if you can ssh into the system. If so you are lucky because you can skip the next few steps and continue with editing the cluster.fw file.
If not boot from a live USB/ISO and mount your proxmox node file system. Then chroot yourself into the system. Now you can edit contents on your system.
Open the file /etc/pve/firewall/cluster.fw and change the option “enable” from 1 to 0. This deactivates the firewall. After a reboot your WebUI should be reachable again.
Hopefully you didn’t have to use the recover chapter and found the article useful.
For now – signing off.
