I cannot seem to find any documentation regarding the firewall rule precedence between a VM, node/host, and the datacenter. Specifically, which level has the ultimate authority when determining if something is blocked or allowed.
For example, let's say I create a rule at the datacenter level to REJECT all port 80 traffic, but I need to allow port 80 for one specific VM. If I then create an ALLOW rule on that (one) VM's firewall (on the Proxmox side), which rule takes precedence?
If the precedence order is such that a VM rule overrides a Node/Host rule, and a Node/Host rule overrides a Datacenter rule, it would be beneficial to have an additional option at the datacenter and node/host levels. This option, perhaps a checkbox per rule, would prevent the Host/VM from overriding the higher-level rule. This would ensure those rules are applied before the lower-level rules, while the "non-checked" rules would load later as usual.
For example, let's say I create a rule at the datacenter level to REJECT all port 80 traffic, but I need to allow port 80 for one specific VM. If I then create an ALLOW rule on that (one) VM's firewall (on the Proxmox side), which rule takes precedence?
If the precedence order is such that a VM rule overrides a Node/Host rule, and a Node/Host rule overrides a Datacenter rule, it would be beneficial to have an additional option at the datacenter and node/host levels. This option, perhaps a checkbox per rule, would prevent the Host/VM from overriding the higher-level rule. This would ensure those rules are applied before the lower-level rules, while the "non-checked" rules would load later as usual.
