[TUTORIAL] Configuration of PVE Firewall for PMG Guest

Apr 11, 2022
132
25
18
This is a rough draft of an idea from this thread over in the PMG forum:
https://forum.proxmox.com/threads/how-to-close-open-port-111.43310/

Two notes: it would be nice if a future version of PVE included macros for PVE web interface and PMG Submission. There is "Submission" but that's not port 26. Also, there is PMG for the PMG web interface which is technically the same port number, but if an admin who is not familiar with the systems needs to do work, it could be a little confusing. OR change the macro to "PMG/PVE".

WARNING: MAKE SURE TO CONFIGURE THE HOST ZONE CORRECTLY OR YOU WILL BE LOCKED OUT.

If you get locked out, you will need to edit the files in this directory from the console:
/etc/pve/firewall/

These settings are based on the information in the PMG documentation here:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#:~:text=2.3.-,Firewall Settings,-In order to
There is an additional rule to allow Let's Encrypt's Certbot to do its thing as needed, but that can be removed if you're not using Certbot.

Admin IPSet​

Datacenter > Firewall > IPSet > Create:
Name: admin
Comment: Admin IPs and ranges
> OK
Datacenter > Firewall > IPSet > admin > Add:
IP/CIDR: <ipORrange>
Comment: <describeIP>
> Create

Host Zone (PVE)​

GUI/API​

Datacenter > Firewall > Add:
Direction: in
Action: ACCEPT
Enable: true
Protocol: tcp
Source: +admin
Dest. port: 8006
Comment: Allow PVE GUI/API in from admin IPs and ranges
> OK
Order: 0

SSH​

Datacenter > Firewall > Add:
Direction: in
Action: ACCEPT
Enable: true
Macro: SSH
Source: +admin
Comment: Allow SSH in from admin IPs and ranges
> OK
Order: 1

Enable​

Datacenter > Firewall > Options > Firewall > Edit:
Firewall: true

Guest Zone (PMG)​

Security Group​

Datacenter > Firewall > Security Group > Create:
Name: pmg
Comment: Proxmox Mail Gateway
> Create

Mailserver IPSet​

Datacenter > Firewall > IPSet > Create:
Name: mailservers
Comment: Mail server IPs
> OK
Datacenter > Firewall > IPSet > mailservers > Add:
IP/CIDR: <ipORrange>
Comment: <hostname>
> Create

Rules​

HTTP​

Datacenter > Firewall > Security Group > pmg > Add:
Direction: in
Action: ACCEPT
Enable: true
Macro: HTTP
Comment: Allow HTTP in for certbot renewal
> OK
Order: 0

SMTP​

Datacenter > Firewall > Security Group > pmg > Add:
Direction: in
Action: ACCEPT
Enable: true
Macro: SMTP
Comment: Allow SMTP in
> OK
Order: 1

Submission:26​

Datacenter > Firewall > Security Group > pmg > Add:
Direction: in
Action: ACCEPT
Enable: true
Protocol: tcp
Source: +mailservers
Dest. port: 26
Comment: Allow submission on port 26 from mail servers
> OK
Order: 2

GUI/API​

Datacenter > Firewall > Security Group > pmg > Add:
Direction: in
Action: ACCEPT
Enable: true
Macro: PMG
Source: +admin
Comment: Allow PMG GUI and API in from admin IPs and ranges
> OK
Order: 3

Apply Security Group​

Datacenter > {node} > {vm} > Hardware > net0 > Edit:
Firewall: true
> OK
Datacenter > {node} > {vm} > Firewall > Insert Security Group:
Security Group: pmg
Interface: net0
Enable: true
Comment: PMG security group rules
> Add
Datacenter > {node} > {vm} > Firewall > Options > Firewall > Edit:
Firewall: true
> OK
 
Last edited:
  • Like
Reactions: Lukas Wagner

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!