Skip to content

Proxmox Firewall

When the Proxmox firewall feature is enabled in the Proxmox connection settings, a "Firewall" tab appears on the server detail page. The following features are supported:

  • Firewall settings: Configure the default input and output policy.
  • Rule management: Manage firewall rule entries.

Enabling Firewall Management

Firewall management is a connection feature and is enabled per connection. To enable it for an existing server:

  1. Open the server detail page and go to "Configuration".
  2. Edit the Proxmox connection assignment.
  3. Enable the "Firewall Management" feature and save.

Once enabled, the "Firewall" tab appears on the server page.

For servers created from a VPS plan, the feature can also be enabled directly on the plan. Every new VM created from that plan then has firewall management enabled by default. More information can be found here.

Bulk enabling the firewall feature for existing servers

To enable firewall management on existing servers in bulk, use the servers:updateServerConnections CLI command on the main server:

app servers:updateServerConnections --connectionType=proxmox --field=enable_firewall_management --value=1

Before applying anything, the command shows a preview table of all affected servers and asks for confirmation. The command also supports filters to limit which servers are affected. Run app servers:updateServerConnections without arguments to see the full documentation, including all available filters.

Default Policy

The "Settings" dialog controls the default policy:

  • Input policy - the default action for incoming traffic that does not match any rule.
  • Output policy - the default action for outgoing traffic that does not match any rule.

The available actions are Accept, Drop, and Reject.

Rules

For each rule, it is possible to specify the direction (In/Out), action (Accept/Drop/Reject), protocol, source and destination address and port, interface, a comment, and an enabled flag.

Rules are evaluated from top to bottom and can be reordered.

Interaction with the IP Spoofing Filter

The IP spoofing filter ensures a server can only use the IP addresses assigned to it. This protection only works while the firewall is enabled and the network interface has the firewall flag set.

Since the IP spoofing filter only works when the firewall is enabled, the firewall cannot be disabled by the customer. The firewall can only be turned off by the administrator.

Troubleshooting

Message: "The firewall is currently disabled for this server"

Full message: "The firewall is currently disabled for this server. Rules are saved but will not be enforced until it is enabled by your provider."

The message means that either the firewall flag is not set for the NIC of the server, or the firewall option is disabled in Proxmox (VM -> Firewall -> Options).

Rules can still be managed, but do not take effect. To solve this, enable the firewall on the VPS NIC and enable the VM Firewall option in the VM configuration at "Firewall" -> "Options" in Proxmox.