[SOLVED] PVE 8.4 Firewall is NFT enabled by default

KatyComputer · Apr 13, 2025

The manual says we can enable nftables by setting the nftables:1 option

My freshly loaded PVE 8.4 box doesn't have a /etc/pve/nodes/<node_name>/host.fw file, however when I execute "systemctl status proxmox-firewall" the system reports:
root@vm101-02:~# systemctl status proxmox-firewall
● proxmox-firewall.service - Proxmox nftables firewall
Loaded: loaded (/lib/systemd/system/proxmox-firewall.service; enabled; preset: enabled)
Active: active (running) since Sun 2025-04-13 14:30:22 CDT; 12min ago
Main PID: 1137 (proxmox-firewal)
Tasks: 1 (limit: 76248)
Memory: 3.7M
CPU: 372ms
CGroup: /system.slice/proxmox-firewall.service
└─1137 /usr/libexec/proxmox/proxmox-firewall

Apr 13 14:30:22 vm101-02 systemd[1]: Started proxmox-firewall.service - Proxmox nftables firewall.
root@vm101-02:~#

This leads me to believe nftables is loaded without me running apt install proxmox-firewall or printf "\n[OPTIONS]\nnftables: 1\n">>/etc/pve/nodes/$HOSTNAME/host.fw

Curiously, the GUI shows the firewall is on, however nftables (tech preview)is off.

Did something change in 8.4? Perhaps nftables is selected by default.

shanreich · Apr 14, 2025

The daemon has always been running since the introduction of proxmox-firewall, but it does not do anything until you explicitly enable nftables in the settings.

Search

Search

[SOLVED] PVE 8.4 Firewall is NFT enabled by default

KatyComputer

Well-Known Member

shanreich

Proxmox Staff Member

We value your privacy