Feature Request: Object-based Firewall Rules for VMs

[EmpireCool]

Hi Proxmox team,

I’d like to suggest an improvement for the Proxmox Firewall: the ability to define firewall rules not only based on static IP addresses, but directly on VM objects.

The idea is to create rules that reference virtual machines by their name, ID, or tags — similar to how it’s implemented in solutions like VMware.

So instead of defining a rule like

Allow TCP from 192.168.100.12 to 192.168.100.20

you could simply write something like:

Allow HTTP from VM “web01” to VM “app01”
or
Allow SSH from all VMs tagged “dev” to “git-server”

This would make firewall configuration much clearer and more flexible — especially in dynamic environments.

Thanks in advance!

Best regards,
Adrian

 

[fba]

Hi,
have you had a look at using IPSets and Security Groups already? It is not an exact fit to what you're suggesting, but it
provides at least a structured approach to what I understand you're describing.

 

[EmpireCool]

Hi,
thank you for your message.

I am aware of IPsets and Security Groups, and they already do a great job.
However, I would like to have the ability to create firewall rules based on, for example, the VM ID instead of the VM’s IP address (I know that I can create an IPset, but there I still have to define IP addresses manually).

This would enable VM identity–based microsegmentation within Proxmox, reducing the reliance on static IP-based rules.

 

[MarkusKo]

That's most likely not possible because the IP address of the VM is only reported if you have the qemu agent running in the VM but what if you have a VM that does not have qemu guest utils installed? - then the IP address is not reported back to PVE. There are also many special cases that prevents this from being implemented easily like multiple ip's / nic's / vlans in a VM ...