Set an inbound ALLOW rule for a per-VM firewall

C

circuitcat

New Member
Nov 9, 2025
5
0
1
I'm sure this is going to be a painfully beginner question and I apologize from the start:

I'm attempting to expose a single VM to 8080 and 443. Unfortunately, networking is not my strong suit. I have two rules assigned to it, set up as shown here:

1762957101653.png
(and then for HTTPS the source port is set to 443, but the rest of the screenshot is the same)

This has not exposed the webserver (I'm attempting to run SANS's dshield honeypot, its status script is what's reporting the failure).

I enabled FIREWALL=YES on the VM; it warned the Firewall was not enabled at the Datacenter level, so I then did that. All this achieved was apparently a DENY-ALL default rule that has locked me out of the console. This leads me to two questions:

- How do I disable the datacenter level firewall directly from the host?

- How do I properly set a single VM on the host to be exposed to the internet?
 
The rule in the picture has a source port entry. But you're trying to connect TO the vm so it must be the Dest. port instead.
For disabling the firewall of the host edit the file /etc/pve/firewall/cluster.fw and either remove the enabled: 1 in [OPTIONS] or just set it to 0.
If you're connecting to the PVE host from outside the local network of the host, you will need suitable rules for connecting to it before re-enabling the firewall, like listed here: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_ports_used_by_proxmox_ve
Only allow the ones required for your usecase of course.
 
Last edited:
fba said:
The rule in the picture has a source port entry. But you're trying to connect TO the vm so it must be the Dest. port instead.
For disabling the firewall of the host edit the file /etc/pve/firewall/cluster.fw and either remove the enabled: 1 in [OPTIONS] or just set it to 0.
If you're connecting to the PVE host from outside the local network of the host, you will need suitable rules for connecting to it before re-enabling the firewall, like listed here: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_ports_used_by_proxmox_ve
Only allow the ones required for your usecase of course.
Click to expand...
Thank you, the cluster.fw advice allowed me to regain access. I then followed your link; I don't think I need any of them, as this just needs (as far as I understand it) HTTP and possibly HTTPS exposed. However, after setting both rules with the given ports in destination as you described, I still get the following from dshield:

1762985514632.png

My rules look like the following:

1762985550105.png

Am I missing something obvious, or is this more of a question for the dshield community?
 
You must log in or register to reply here.
Top Bottom