Set an inbound ALLOW rule for a per-VM firewall

C

circuitcat

New Member
Nov 9, 2025
7
0
1
I'm sure this is going to be a painfully beginner question and I apologize from the start:

I'm attempting to expose a single VM to 8080 and 443. Unfortunately, networking is not my strong suit. I have two rules assigned to it, set up as shown here:

1762957101653.png
(and then for HTTPS the source port is set to 443, but the rest of the screenshot is the same)

This has not exposed the webserver (I'm attempting to run SANS's dshield honeypot, its status script is what's reporting the failure).

I enabled FIREWALL=YES on the VM; it warned the Firewall was not enabled at the Datacenter level, so I then did that. All this achieved was apparently a DENY-ALL default rule that has locked me out of the console. This leads me to two questions:

- How do I disable the datacenter level firewall directly from the host?

- How do I properly set a single VM on the host to be exposed to the internet?
 
The rule in the picture has a source port entry. But you're trying to connect TO the vm so it must be the Dest. port instead.
For disabling the firewall of the host edit the file /etc/pve/firewall/cluster.fw and either remove the enabled: 1 in [OPTIONS] or just set it to 0.
If you're connecting to the PVE host from outside the local network of the host, you will need suitable rules for connecting to it before re-enabling the firewall, like listed here: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_ports_used_by_proxmox_ve
Only allow the ones required for your usecase of course.
 
Last edited:
fba said:
The rule in the picture has a source port entry. But you're trying to connect TO the vm so it must be the Dest. port instead.
For disabling the firewall of the host edit the file /etc/pve/firewall/cluster.fw and either remove the enabled: 1 in [OPTIONS] or just set it to 0.
If you're connecting to the PVE host from outside the local network of the host, you will need suitable rules for connecting to it before re-enabling the firewall, like listed here: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_ports_used_by_proxmox_ve
Only allow the ones required for your usecase of course.
Click to expand...
Thank you, the cluster.fw advice allowed me to regain access. I then followed your link; I don't think I need any of them, as this just needs (as far as I understand it) HTTP and possibly HTTPS exposed. However, after setting both rules with the given ports in destination as you described, I still get the following from dshield:

1762985514632.png

My rules look like the following:

1762985550105.png

Am I missing something obvious, or is this more of a question for the dshield community?
 
I dont know dhield, but I would assume, that it needs either a publicly reachable IP address or correct port forwarding at the NAT gateway.
Which one is your setup?
 
fba said:
I dont know dhield, but I would assume, that it needs either a publicly reachable IP address or correct port forwarding at the NAT gateway.
Which one is your setup?
Click to expand...
I'm going to say port forwarding at the moment, but admittedly I'm at a loss of where to go from here. In my router I set a port forwarding rule for HTTP, with internal and external ports of 80, set to the device IP.
 
If the router is configured to forward port 80/tcp and the firewall is open at 8080/tcp and 443/tcp, how does this fit together?
Shouldn't the router forward the ports you configured in the firewall, too? And shouldn't the firewall have a rule for port 80/tcp either?
Btw in the Proxmox Firewall is a Macro for web traffic including https and http (port 80 and 443 tcp). Using it could reduce the number of required rules.
 
Last edited:
fba said:
If the router is configured to forward port 80/tcp and the firewall is open at 8080/tcp and 443/tcp, how does this fit together?
Shouldn't the router forward the ports you configured in the firewall, too? And shouldn't the firewall have a rule for port 80/tcp either?
Btw in the Proxmox Firewall is a Macro for web traffic including https and http (port 80 and 443 tcp). Using it could reduce the number of required rules.
Click to expand...
...yes, they should. Apologies, as I mentioned networking is not a strong suit of mine. I've updated the Router rules to include the missing ports, and replaced what I had in Proxmox with the two macros for HTTP and HTTPS. (See below: )
1763056491457.png
1763056364704.png
(HTTPS 2 is just named that because the router requested a unique service name)

Update: Yes, I forgot 8080 in the Proxmox firewall and to check them off for "on". This has been corrected.
 
Last edited:
The rules in Proxmox firewall are not enabled, the checkboxes in column On are not ticked.
The https/http traffic is usually from a random high port to the specified one like 443 or 80. The rules on the router look like the source ports are fixed too, which seems not correct to me.
 
Last edited:
You must log in or register to reply here.
Top Bottom