So I have a Proxmox machine in a co-lo with a public range on vmbr0 (It's a single server co-lo so I don't have a router/firewall I control upstream)
It's firewalled using the PVE firewall, configured under the datacenter tab and I've confirmed I cannot access the Proxmox UI.etc from an untrusted IP on the internet.
However I found I can access the PVE webUI/SSH.etc from VM's sitting in the same Subnet even though there's no rule in the PVE firewall to allow this access.
Doesn't seem to make a difference as to if firewalli is switched on in the VM configuration, it looks like the default outbound allow for the VM's allows full access to the host.
I guess i'll need to put a deny rule in the outbound firewall configuration for any VM's I create but ideally the host should apply input rules for VM > Host traffic.
Edit: Running PVE 7.3.4
It's firewalled using the PVE firewall, configured under the datacenter tab and I've confirmed I cannot access the Proxmox UI.etc from an untrusted IP on the internet.
However I found I can access the PVE webUI/SSH.etc from VM's sitting in the same Subnet even though there's no rule in the PVE firewall to allow this access.
Doesn't seem to make a difference as to if firewalli is switched on in the VM configuration, it looks like the default outbound allow for the VM's allows full access to the host.
I guess i'll need to put a deny rule in the outbound firewall configuration for any VM's I create but ideally the host should apply input rules for VM > Host traffic.
Edit: Running PVE 7.3.4
