Datacenter firewall rules not applied to VM > Host traffic?


Active Member
Jul 2, 2010
So I have a Proxmox machine in a co-lo with a public range on vmbr0 (It's a single server co-lo so I don't have a router/firewall I control upstream)

It's firewalled using the PVE firewall, configured under the datacenter tab and I've confirmed I cannot access the Proxmox UI.etc from an untrusted IP on the internet.

However I found I can access the PVE webUI/SSH.etc from VM's sitting in the same Subnet even though there's no rule in the PVE firewall to allow this access.

Doesn't seem to make a difference as to if firewalli is switched on in the VM configuration, it looks like the default outbound allow for the VM's allows full access to the host.

I guess i'll need to put a deny rule in the outbound firewall configuration for any VM's I create but ideally the host should apply input rules for VM > Host traffic.

Edit: Running PVE 7.3.4
if the VM is on the same subnet as the host, it likely is covered by the automatic "cluster-internal host<->host ACCEPT" rules for the API and SSH (and some other) ports..


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!