Do I Need the PVE Firewall?
- Thread starter dixie2000
- Start date
If you are paranoid or really care about security, yes.
Good rule of thumb for security (but not great for convenience) would be to block/drop all incoming and outgoing traffic on the datacenter + VM/LXC level firewalls and only whitelist the few IPs and ports that actually really need to be open.
Good rule of thumb for security (but not great for convenience) would be to block/drop all incoming and outgoing traffic on the datacenter + VM/LXC level firewalls and only whitelist the few IPs and ports that actually really need to be open.
Last edited:
Security benefit of using the PVE firewalls vs running a firewall inside a VMs OS is also that the guestOS can't change the firewall rules.
If I got all ports open on the PVEs VM level and then only block all ports except for port 80 inside the guestOS and then the VM get compromized, the malware/attacker might be able to disable the firewall of the guestOS and open all ports again.
If you set the rules on the PVEs VM firewall to drop everthing except for port 80 and the VM gets compromized, the attacker can't open any ports and is locked inside that VM with only port 80 open as an attack vector to spread across your network compomising other hosts or VMs/LXCs.
So it's more about reducing the amount of damage an attacker can cause in your LAN once you get hacked. Ideally your routers firewall won't let any traffic through from the internet to your LAN so you don't get hacked in the first place. Here using a VPN tunnel instead of making all services publicly available via port-forwards would help.
If I got all ports open on the PVEs VM level and then only block all ports except for port 80 inside the guestOS and then the VM get compromized, the malware/attacker might be able to disable the firewall of the guestOS and open all ports again.
If you set the rules on the PVEs VM firewall to drop everthing except for port 80 and the VM gets compromized, the attacker can't open any ports and is locked inside that VM with only port 80 open as an attack vector to spread across your network compomising other hosts or VMs/LXCs.
So it's more about reducing the amount of damage an attacker can cause in your LAN once you get hacked. Ideally your routers firewall won't let any traffic through from the internet to your LAN so you don't get hacked in the first place. Here using a VPN tunnel instead of making all services publicly available via port-forwards would help.
Last edited:
Good point to start would be to read this: https://pve.proxmox.com/wiki/Firewall
Then enable the firewall on datacenter level (or firewalls on VM/LXC level won't work) as well as for each individual VM/LXC. And set the "Input Policy" and "Output Policy" to drop. Then everything will be blocked and nothing will work. Then you read the documentations of all of your services and find out what open ports that service actually needs. Then you open those ports until everything is barely working again.
