Firewall questions


Jun 1, 2020
Proxmox 8.1.3 - So we have a firewall at the Datacenter, Node and VM level. I want to add a rule so that all VMs cannot access a computer (not on Proxmox) on a specific IP addresses. Do I need to add the DROP rule on each VM or can I put one DROP rule at the Node level?

On a firewall rule, if I leave the "Interface" or "Protocol" fields blank, does that mean all interfaces or all protocols apply? Or is this an invalid rule?

So does a rule at the DC level apply to each node in a cluster? Does it apply to the VMs in the cluster?

Some thing have learned:
  • At the DC level, and options, make sure Input and Output policies are both set to ACCEPT. Otherwise when you enable the firewall at the DC level, you will get locked out of the GUI. (I think)
  • At the DC level enable the firewall, otherwise none of the firewall rules apply.
  • If you add a rule at the DC level, it does not apply to the VM.
  • If you disable the firewall at the node level, the firewall at the VM level still works.
  • At the node level - I have not seem where that firewall comes into play.
  • When writing a rule through the GUI, a blank entry in protocol, macro, interface means no limits. i.e. allow all protocols.
  • If you start a ping then add a rule to block the pings, because ping has already established a connect, the ping will continue to work. But if you do something like this you get immediate feedback.
 while true
  ping -c 1 -W 1 x.x.x.18 | grep "loss"
  sleep 1
Last edited:


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!