pve-firewall
Manage Proxmox Virtual Environment firewall rules
TLDR
Compile and print all firewall rules
Show information about the local network
Restart the Proxmox VE Firewall service
Start the Proxmox VE Firewall service
Stop the Proxmox VE Firewall service
Simulate all firewall rules
Show the status of Proxmox VE Firewall
SYNOPSIS
pve-firewall
PARAMETERS
--digest
Only verify the configuration file if the digest matches. Use 'pve-firewall digest' to get the current digest.
--configfile
Use the specified configuration file. The default is /etc/pve/firewall/cluster.fw.
log
Show firewall log
compile
Compile the firewall rules
status
Show firewall status
digest
Calculate the configuration file digest
help
Show help
DESCRIPTION
The `pve-firewall` command is a command-line interface for managing the Proxmox Virtual Environment (PVE) firewall. It allows you to define and manage firewall rules for virtual machines (VMs), containers, and the Proxmox VE host itself. This firewall is based on iptables and offers a flexible and robust way to secure your virtualized environment.
Using this command, you can create rules to allow or deny traffic based on source and destination IP addresses, ports, and protocols. It integrates directly with the Proxmox VE web interface, allowing for both CLI and GUI-based management. The firewall operates at the datacenter, node, and VM/container levels, enabling granular control over network access. Key features include rule ordering, logging, and integration with other Proxmox VE features like HA (High Availability).
FIREWALL CONCEPTS
The Proxmox VE firewall uses a hierarchical structure. Rules are applied in the order: Datacenter -> Node -> VM/Container. If a rule matches at a higher level, it takes precedence. This allows for centralized management while still providing flexibility at the VM/Container level.
The firewall provides the 'ipset' infrastructure to group multiple IPs/Networks in a single entry.
RULE MANAGEMENT
The actual firewall rules are defined in JSON format within the configuration file. The `pve-firewall` command provides tools to manipulate this file. However, it's generally recommended to manage rules via the Proxmox VE web interface or API for easier administration. The 'compile' command will build the Iptables rules according the the JSON configuration file.
SEE ALSO
iptables(8)