Setting up HOST only firewalls in my cluster


Active Member
I am trying to setup the pve firewall so that the rules only impact the cluster hosts them selves and not any of the VMs which are already behind their own firewalls.

I have added my networks to the 'management' IP-Set, I have turned on the firewall at the Data Centre level. The INPUT Policy is DROP the Output Policy is ACCEPT.

When I turn on the firewall on the individual hosts, I almost immediately find that some of the VM services stop working and I typically lose access to the host via the Web UI.

I don't understand what I am doing wrong and would really like to be able to restrict access to the hosts to get on top of the continuous SSH probing etc.


Active Member
Sep 21, 2018
Make sure you have the firewall disabled/unticked on the VM NICs.

Then the rules will only be applied to the hosts


Active Member
None of the VMs have the firewall option on the NIC checked, the VM Firewalls are all set to NO.

I am really confused. My goal is to have clusterwide rules that limit access to the hosts but allow full access to the VMs. But I cant work out how to do this as turning on the firewall at both the cluster and host level impacts the VMs.

BTW: Am running 6.1.5 on all nodes.


Active Member
I am wondering whether what I should be doing is to set the DataCentre policy to INPUT: ALLOW and then to create an IPSet for the hosts and then create specific rules that drop all traffic to the hosts (except the management IPset). I am also experimenting with /etc/hosts.allow to at least block SSH from unwanted sources.


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!