Datacenter firewall rules not applied to VM > Host traffic?

dragon2611

Renowned Member
Jul 2, 2010
93
9
73
So I have a Proxmox machine in a co-lo with a public range on vmbr0 (It's a single server co-lo so I don't have a router/firewall I control upstream)

It's firewalled using the PVE firewall, configured under the datacenter tab and I've confirmed I cannot access the Proxmox UI.etc from an untrusted IP on the internet.

However I found I can access the PVE webUI/SSH.etc from VM's sitting in the same Subnet even though there's no rule in the PVE firewall to allow this access.

Doesn't seem to make a difference as to if firewalli is switched on in the VM configuration, it looks like the default outbound allow for the VM's allows full access to the host.

I guess i'll need to put a deny rule in the outbound firewall configuration for any VM's I create but ideally the host should apply input rules for VM > Host traffic.

Edit: Running PVE 7.3.4
 
if the VM is on the same subnet as the host, it likely is covered by the automatic "cluster-internal host<->host ACCEPT" rules for the API and SSH (and some other) ports..