Do I Need the PVE Firewall?

dixie2000

Member
May 16, 2023
81
3
8
I run Proxmox PVE on my home network - a couple of VM's and several containers. Do I need to enable firewalls rules? What is the criteria for determing that?

Many thanks...
 
If you are paranoid or really care about security, yes.
Good rule of thumb for security (but not great for convenience) would be to block/drop all incoming and outgoing traffic on the datacenter + VM/LXC level firewalls and only whitelist the few IPs and ports that actually really need to be open.
 
Last edited:
Security benefit of using the PVE firewalls vs running a firewall inside a VMs OS is also that the guestOS can't change the firewall rules.
If I got all ports open on the PVEs VM level and then only block all ports except for port 80 inside the guestOS and then the VM get compromized, the malware/attacker might be able to disable the firewall of the guestOS and open all ports again.
If you set the rules on the PVEs VM firewall to drop everthing except for port 80 and the VM gets compromized, the attacker can't open any ports and is locked inside that VM with only port 80 open as an attack vector to spread across your network compomising other hosts or VMs/LXCs.

So it's more about reducing the amount of damage an attacker can cause in your LAN once you get hacked. Ideally your routers firewall won't let any traffic through from the internet to your LAN so you don't get hacked in the first place. Here using a VPN tunnel instead of making all services publicly available via port-forwards would help.
 
Last edited:
thanks for the additional information. As i somewhat new to networking and firewall configuration can you provide any documentation on setting up a "basic" configuration?
 
thanks for the additional information. As i somewhat new to networking and firewall configuration can you provide any documentation on setting up a "basic" configuration?
Good point to start would be to read this: https://pve.proxmox.com/wiki/Firewall

Then enable the firewall on datacenter level (or firewalls on VM/LXC level won't work) as well as for each individual VM/LXC. And set the "Input Policy" and "Output Policy" to drop. Then everything will be blocked and nothing will work. Then you read the documentations of all of your services and find out what open ports that service actually needs. Then you open those ports until everything is barely working again.
 
  • Like
Reactions: hyu

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!